Sub-delegation is something that I've looked at as well. Specifically, for resource holders that are renting out IP space .. if they could sub delegate to a CA managed by the broker or the actual customer using the resource, that could be very beneficial.
Just to name a specific use-case.. Erik Bais On 07/10/2021, 16:31, "routing-wg on behalf of Tim Bruijnzeels" <[email protected] on behalf of [email protected]> wrote: Dear all, I would like to support this proposal. As an implementer of an open-source RPKI CA I find that a large part of the support questions that we get, and the hesitation to run a delegated CA, stems from the requirement to not just run a CA, which can even be offline between signing events, but a 24/7 repository as well. If this is added to the RIPE NCC RPKI backlog then I would also request that LIRs, and PI holders, can have multiple CAs publish at the RIPE NCC. The reason for this is that one of benefits of running a delegated CA lies in having the option to sub-delegate to child CAs. For example one can create child CAs with specific sub-sets of resources for departments, business units etc. To make this scale it would very beneficial if those children could publish under the publication server as well. Kind regards, Tim > On 20 Sep 2021, at 13:26, Job Snijders via routing-wg <[email protected]> wrote: > > Hi working group, > > In recent mail threads the concepts of "Hosted RPKI" and "Delegated > RPKI" came up, but as mentioned by Tim and Rubens, another flavor also > exists! A "hybrid" between Delegated and Hosted, informally known as > "publish in parent" (aka RFC 8181 compliant Publication Services). > > There are multiple benefits to the general RPKI ecosystem when RIRs and > NIRs support RFC 8181: > > * Resource Holders are relieved from the responsibility to operate > always online RSYNC and RRDP servers. > > * Reducing the number of Publication servers reduces overall > resource consumption for Relying Parties. Consolidation of > Publication Servers improves efficiency and is generally > considered advantageous. > > * Helps avoid "reinventing the wheel": it might be better to have a > small group of experts build a globally performant and resillient > infrastructure that serves everyone, rather than everyone building > the 'same' infrastructure. > > Other RIRs and NIRs are also working on RFC 8181 support. RFC 8181 is > relatively new so it'll take some time before we see universal > availability. > > NIC.BR (available): https://registro.br/tecnologia/numeracao/rpki/ > APNIC (available): https://blog.apnic.net/2020/11/20/apnic-now-supports-rfc-aligned-publish-in-parent-self-hosted-rpki/ > ARIN (planned): https://www.arin.net/participate/community/acsp/suggestions/2020/2020-1/ > > Is implementing RFC 8181 support something RIPE NCC should add to the > https://www.ripe.net/manage-ips-and-asns/resource-management/rpki/rpki-planning-and-roadmap ? > > What do others think? > > Kind regards, > > Job > > Relevant documentation: > https://datatracker.ietf.org/doc/html/rfc8181 >
