Dear all,
On Mon, Apr 14, 2025 at 01:19:43PM +0000, Job Snijders wrote:
> To facilitate research and policy development in the space of
> non-functional RPKI Certification Authorities, a new feature was added
> to the rpki-client validator implementation. Rpki-client version 9.5 now
> emits easily parsable indicators listing all valid & non-revoked RPKI
> CA certificates for which currently no valid Manifest is available.
I created this hourly updated retro-looking page with rpki-client's new
"non-functional CA detection" functionality & data from rpkiviews.org:
https://console.rpki-client.org/nonfunc.html
The page shows all the world's non-revoked non-functional CAs, enriched
with timestamps indicating when the (since then continuous) downtime
started (from the perspective of console.rpki-client.org).
I emphasize that this listing is specific to console.rpki-client.org
because - when it comes to automated revocation policies - I think it is
important to corroborate multiple validator vantage points to ensure
local network connectivity issues are not the cause of the CA being
flagged as non-functional.
The policy proposal at hand only targets Delegated CAs within RIPE NCC's
revocation scope, those entries can be recognized by the "Authority info
access:" value being
"rsync://rpki.ripe.net/repository/aca/KpSo3VVK5wEHIJnHC2QHVV3d5mk.cer"
FREQUENTLY ASKED QUESTIONS
==========================
Q: Am I in trouble? I see my ASN or IP prefix listed in this overview!
A: RPKI CA's being non-functional for extended periods of time is a
nuisance: broken CAs cause RPKI Cache Validators to emit lots of
syslog messages, and resources are wasted in attempting to
synchronize to the non-functional CA's repository. Do your part now
by fixing your CA or by voluntarily revoking it! :)
Q: Should other RIR communities also start discussing the automatic
revocation of RPKI CAs which have continuously been non-functional
for extended periods of time?
A: Yes, absolutely!
Q: Has RIPE NCC assigned a policy proposal version number yet?
A: nope...
Kind regards,
Job
-----
To unsubscribe from this mailing list or change your subscription options,
please visit: https://mailman.ripe.net/mailman3/lists/routing-wg.ripe.net/
As we have migrated to Mailman 3, you will need to create an account with the
email matching your subscription before you can change your settings.
More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
