[routing-wg] Re: policy proposal: "Automatic Revocation of Persistently Non-functional Delegated RPKI CAs"

[Job Snijders]

Dear all,

To facilitate research and policy development in the space of
non-functional RPKI Certification Authorities, a new feature was added
to the rpki-client validator implementation. Rpki-client version 9.5 now
emits easily parsable indicators listing all valid & non-revoked RPKI
CA certificates for which currently no valid Manifest is available.

In the rpki-client JSON output the 'metadata' object now contains a
'nonfunctionalcas' gauge metric type which represents the number of
non-functional CAs. The 'nonfunc_cas' object contains objects detailing the
Certification Authority's certificate location, the name of the trust anchor to
which the CA is subordinate, the location of the CA's repository, the
SubjectInformationAccess of the Manifest, and the CA's key identifier.

An example is available via https://console.rpki-client.org/rpki.json.gz

The proposal to the RIPE community to instruct RIPE NCC to revoke
persistently Non-functional Delegated CAs only applies to CAs which are
within RIPE NCC's revocation scope. These CAs can be identified combing
the following two jq query filter components: select(.ta =="ripe") and
select(.location | startswith("rpki.ripe.net"))

Every time rpki-client is executed, the "nonfunc_cas" object is
populated with a listing of CAs which are non-functional at that
particular moment. By repeatedly executing rpki-client and tracking the
state of the "nonfunc_cas" object over time, one can assess whether CAs
are persistently broken, unstable, or continuously reliable.

Going forward, the JSON in the http://www.rpkiviews.org/ tarballs also
contains an 'nonfunc_cas' object. This should make it easier for folks
to compare notes on whether CAs are "down for everyone or just me".

Upgrading is recommended, the rpki-client 9.5 release notes are here:
https://marc.info/?l=openbsd-announce&m=174441271311263&w=2 

Kind regards,

Job

### how many CAs are non-functional?

$ curl --compressed -s https://console.rpki-client.org/rpki.json | jq 
'.metadata | {'time': .buildtime, 'nonfunctionalcas': .nonfunctionalcas}'
{
  "time": "2025-04-14T12:23:49Z",
  "nonfunctionalcas": 113
}

### show all non-functional CAs, colorized by jq:

$ curl --compressed -s https://console.rpki-client.org/rpki.json | jq 
'.nonfunc_cas'
...

### show one random non-functional CA subordinate to RIPE NCC

$ curl --compressed -s https://console.rpki-client.org/rpki.json | jq '[ 
.nonfunc_cas[] | select(.ta =="ripe") | select(.location | 
startswith("rpki.ripe.net")) ][0]'
{
  "location": 
"rpki.ripe.net/repository/DEFAULT/w9a4Z_-YTcfF6szS2j-Szzxnfas.cer",
  "ta": "ripe",
  "caRepository": 
"rsync://rsync.paas.rpki.ripe.net/repository/c58479df-f5b7-4453-92bf-de1f61b3d4b0/0/",
  "rpkiManifest": 
"rsync://rsync.paas.rpki.ripe.net/repository/c58479df-f5b7-4453-92bf-de1f61b3d4b0/0/C3D6B867FF984DC7C5EACCD2DA3F92CF3C677DAB.mft",
  "ski": "C3D6B867FF984DC7C5EACCD2DA3F92CF3C677DAB"
}

### show the locations of the Manifests of currently non-functional CAs 
relevant for this policy proposal:

$ curl --compressed -s https://console.rpki-client.org/rpki.json | jq 
'.nonfunc_cas[] | select(.ta =="ripe") | select(.location | 
startswith("rpki.ripe.net")) | .rpkiManifest'
"rsync://rsync.paas.rpki.ripe.net/repository/e292649c-2f1e-4e3a-9731-5b4a6e276845/0/B2E4D3DDAFC4F7BFBA5DB607A033F362108CA850.mft"
"rsync://rsync.paas.rpki.ripe.net/repository/32bfd357-d83b-400a-8c46-4fbd1119f4a3/2/C5557C97D7BBFF47CA22AD5FB9F0589FAAF159BD.mft"
"rsync://rsync.paas.rpki.ripe.net/repository/47cfdd4f-7698-4317-be26-f1102186ef1b/0/97C175005F7AB9B69DCDB4F3A608FC78FE5AA7C7.mft"
"rsync://rpki.netiface.net/repo/Civilized/0/593E81C92EF98F9130AC43641AAE8022546E9F4A.mft"
"rsync://rsync.paas.rpki.ripe.net/repository/74c1572c-e97c-4100-aeff-1373f4e9433a/0/277DB6AB779E3D5333C97AB2285B988001C5E0C6.mft"
"rsync://rsync.paas.rpki.ripe.net/repository/bcbbf0bf-a2e0-42a4-8293-711496eb66d2/0/BEEB4B595E9E084649D0ABE5B77B8DFF736D03F3.mft"
"rsync://rpki.folf.systems/repo/Folf-Systems/0/E883D1D2313A14E8659F604A65D65CE39A3F826B.mft"
"rsync://rsync.rpki.tianhai.link/repo/TianhaiRpki/1/911E180145E68F7315DA3AB2200D186671FFE75B.mft"
"rsync://rsync.paas.rpki.ripe.net/repository/378e5eb0-c019-4ff5-b260-4e1638121055/0/E9B75912FCA789B86CCEA3B1E09F1B5BFA84B503.mft"
"rsync://rsync.paas.rpki.ripe.net/repository/240ce547-40ef-4f04-95be-088f3bc02503/0/10DAC6AAF940C7C5FF1B83ECA3526D46BA475093.mft"
"rsync://rsync.paas.rpki.ripe.net/repository/32bfd357-d83b-400a-8c46-4fbd1119f4a3/2/4AFA0771812E6637D8B18A1FF50F41F3498669A9.mft"
"rsync://rsync.paas.rpki.ripe.net/repository/330c7f5c-faae-4354-b920-e20bd0425bb9/0/2E1EDE80640C9F484F75DD39C13ED6C70E074A03.mft"
"rsync://krill.ca-bc-01.ssmidge.xyz/repo/SsmidgeLLC/0/5336A1DC9C53858F5D437551051BB214BF1C5ABB.mft"
"rsync://rpki.0i1.eu/repo/h45/0/7C5CDC3FD51653B5120B4EBEDD2FA382240A5868.mft"
"rsync://rsync.paas.rpki.ripe.net/repository/b64c075f-eb10-4426-bb40-3a833fe0f9fb/1/7DDB99F73E7B582C352890E3AD5785D3679F8891.mft"
"rsync://rsync.paas.rpki.ripe.net/repository/09f71023-9049-4ecb-a8a5-7f08d8ead676/0/5F01AE1836D7DA777EBB90A1EA97D37C300118E8.mft"
"rsync://rsync.paas.rpki.ripe.net/repository/fd30a818-e105-413c-9d00-d36a887eff80/0/1C808584929EC643220D69A77E5E050E1D09D969.mft"
"rsync://rsync.paas.rpki.ripe.net/repository/30df2d1b-1498-4686-91bb-64b582010328/0/D6424E531A5AD6AC80AF20F0D6DC2CB187322EC1.mft"
"rsync://rsync.paas.rpki.ripe.net/repository/509e44a5-77ff-4426-a7ff-47aed75c6546/0/EF88D7BACD28A6C393BCCC11DC64DDE77B7EC49B.mft"
"rsync://rpki.netiface.net/repo/Civilized/0/C5947ECC8683AD0DBCD95A8F332F0CAA13574790.mft"
"rsync://rsync.paas.rpki.ripe.net/repository/c5592a54-4035-4970-86dc-3d1803b7b60f/0/945031CB22A35CDB6CE579CB70270EA7B3A89A27.mft"
"rsync://rsync.paas.rpki.ripe.net/repository/d2288b0e-a1d0-4c1a-8ced-a057a6076a7f/0/AB4C1697B18C3C715553206C4C39BBE9E52F658B.mft"
"rsync://rsync.paas.rpki.ripe.net/repository/b277449f-31b2-4578-a872-4b6e1340504f/0/036E2F88E56C86A436A3C4C7AB770FA78BC686CA.mft"
"rsync://rpki.zappiehost.com/repo/TERITUM_UID_18858/1/91EFE7B33A66C7FDBB711F76D87E9353E530425B.mft"
"rsync://oto.wakuwaku.ne.jp/pki/202400/2/93315FBBDD477E024849BB6F66D8FB94395F6350.mft"
"rsync://rsync.paas.rpki.ripe.net/repository/22a80682-c54c-4d5a-9456-b23925309732/1/6A3130ACFBFBA9017ADDEF637ACD312FC763829A.mft"
"rsync://pub.krill.ausra.cloud/repo/Ausra-Systems-Internal-CA/0/B32E3E3753E1C34EB8EC09DDA363F06C67B7DB8A.mft"
"rsync://rsync.rpki.tianhai.link/repo/TianhaiRpki/0/3CDEC27384AADE5CA0809FD6F16D2BCA18BEB659.mft"
"rsync://rsync.paas.rpki.ripe.net/repository/137bbed0-a12b-417b-a973-567f41a320d1/0/6F8A258586E22F8D1942882B7F8B9C2CE885D805.mft"
"rsync://rsync.paas.rpki.ripe.net/repository/d08bc49d-0338-4b5f-8204-0004a66105c9/0/5511F6D7DEF4C0FFB6E2B3B3F0C4455DCD14C160.mft"
"rsync://rsync.paas.rpki.ripe.net/repository/5440d602-b0ab-436f-a957-dfb487c66bb8/0/D490F856F80E807B7180EF46E3048FC5F28CF832.mft"
"rsync://rsync.paas.rpki.ripe.net/repository/ad0eb3cf-9a1b-4112-a607-ae98c2ab12a7/0/52F4CAA87D081FC25DDF117BE8A9FE990AA120BC.mft"
"rsync://rsync.paas.rpki.ripe.net/repository/98826bce-854a-48c6-86af-93cf28393576/0/ADAA2DF4F9F7F1B10330C3AB0CE4598D59DFFDA0.mft"
"rsync://rsync.paas.rpki.ripe.net/repository/4bfa7a9f-28d3-45b0-a839-a57519ecaeae/0/C3F4E167A6B1633379B9981D8A565B7AFB81DC90.mft"
"rsync://rsync.paas.rpki.ripe.net/repository/2feab205-d14b-4a2a-a38a-6be9ee483ace/0/EC6C7177521BD791A07FA0AA12E710B684F06985.mft"
"rsync://rsync.paas.rpki.ripe.net/repository/9af6c38e-8050-483d-a2cb-a61c9e2aa468/0/6827F6047A800EBE4B0DC6299C084EF05E0AAADE.mft"
"rsync://rsync.paas.rpki.ripe.net/repository/d88b854e-092c-4d79-ac06-af380b08d12b/2/FD7A8C110A628469378572A2918653F6F8D726D2.mft"
"rsync://rpki01.hel-fi.rpki.win:44595/repo/as60900/0/C89B31081D5BDD08D18FBCD8FABEE81C4FB05146.mft"
"rsync://rsync.paas.rpki.ripe.net/repository/8188cf9f-0de9-451f-b935-b3ff1d87a666/1/B340A32376D21B74320995356EBA85B40653E672.mft"
"rsync://rsync.rpki.tianhai.link/repo/TianhaiRpki/2/3E32DA3B9DC955F96CF1BF58C5748B7B80FCB798.mft"
"rsync://rsync.paas.rpki.ripe.net/repository/3c8e4e11-3aca-4305-acd4-f05e6c909115/0/B8288EA9E3D67DC3D38FA775181C4B2C87729BDF.mft"
"rsync://rsync.paas.rpki.ripe.net/repository/c99265ef-22a9-4100-a23d-51a9d9feeb7d/3/7B08E26EA9F3D825ECCD64E5FDC355C852A7AF54.mft"
"rsync://rsync.paas.rpki.ripe.net/repository/c99265ef-22a9-4100-a23d-51a9d9feeb7d/0/D93EF0701E8CA6ED0A0E6D46A38B8D8CF3091285.mft"
"rsync://oto.wakuwaku.ne.jp/pki/simple/0/398357E569F1D4C03D26A7636E00D36AB796A703.mft"
"rsync://rsync.paas.rpki.ripe.net/repository/ad0eb3cf-9a1b-4112-a607-ae98c2ab12a7/3/FC5EF1F664F6BB0E1AF7BDA53D67E0589B895E1F.mft"
"rsync://rsync.paas.rpki.ripe.net/repository/c58479df-f5b7-4453-92bf-de1f61b3d4b0/0/C3D6B867FF984DC7C5EACCD2DA3F92CF3C677DAB.mft"
"rsync://rsync.paas.rpki.ripe.net/repository/a4c6bdc5-eb4e-4b6e-95f6-62790e57f3be/0/9DA23CC2CF88AE4585CF8AAF9A714A9AD2E6F198.mft"
"rsync://rsync.paas.rpki.ripe.net/repository/beb8ea69-d68a-4a79-bb5d-68342170ba31/0/59730750F2A855056056BA7CF74A3E27B63A5A49.mft"
-----
To unsubscribe from this mailing list or change your subscription options, 
please visit: https://mailman.ripe.net/mailman3/lists/routing-wg.ripe.net/
As we have migrated to Mailman 3, you will need to create an account with the 
email matching your subscription before you can change your settings. 
More details at: https://www.ripe.net/membership/mail/mailman-3-migration/