Hi Theo, > On 7 Aug 2025, at 16:04, Theo Buehler <t...@theobuehler.org> wrote: > > Hi > >> https://www.ripe.net/community/policies/proposals/2025-02#impact-analysis > > I'm somwehat confused about this paragraph: > > It is the RIPE NCC’s understanding that this proposal, if accepted, will > require the RIPE NCC to revoke the RPKI certificate for any Delegated > Certification Authorities (CAs) that have not updated their manifest > and/or Certification Revocation List (CRL) for longer than three months. > > This sounds as if the three months (90 days) are counted starting from > a manifest's or CRL's thisUpdate, whereas an ulterior paragraph seems to > imply that the nextUpdate is intended: > > From this, the RIPE NCC interprets that if the RIPE NCC is unable to > discover and validate a Delegated CA's current Manifest and CRL for more > than 90 days, that Delegated CA will be removed as a child, and its > resource certificate will be revoked by the RIPE NCC parent CA. > > The latter interpretation makes more sense to me and perhaps the first > paragraph should insert "after expiry" at the end or something with an > equivalent effect.
It was not our intention to introduce an inconsistency. The first paragraph was just intentionally a bit lighter on detail to make it more readable to readers who are less well versed in RPKI. That said, I think your suggestion to insert "after expiry" at the end make sense. Thank you for pointing this out! Kind regards, Tim Bruijnzeels RIPE NCC > ----- > To unsubscribe from this mailing list or change your subscription options, > please visit: https://mailman.ripe.net/mailman3/lists/routing-wg.ripe.net/ > As we have migrated to Mailman 3, you will need to create an account with the > email matching your subscription before you can change your settings. > More details at: https://www.ripe.net/membership/mail/mailman-3-migration/ ----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/routing-wg.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
