Dear all, Based on the impact analysis provided by the Secretariat for proposal prop-166-v001 and conversation with APNIC's RPKI engineers, to me it seems APNIC has a very solid understanding of what the policy entails, its potential effects, and how to implement it.
I support acceptance & implementation of policy proposal prop-166 "Revocation of Persistently Non-functional RPKI Certification Authorities" I'd like to point the community to the similar policy proposal in the RIPE NCC region which currently is under discussion in RIPE's Routing Working Group. So far, it seems discussion participants are very supportive of the concept. The RIPE thread can reviewed here: https://mailman.ripe.net/archives/list/[email protected]/thread/FFTEF5HI2NGVX3OYCXJBFLHRVNDLVH2N/ Kind regards, Job (author of policy proposal prop-166) On Fri, Aug 15, 2025 at 08:14:27AM -0000, Dave Phelan wrote: > Dear SIG members, > Here is the Secretariat impact analysis for proposal “prop-166-v001: > Revocation of Persistently Non-functional RPKI Certification Authorities” and > the same is also published at: > https://www.apnic.net/community/policy/proposals/prop-166/ > Regards > Dave Phelan > on Behalf of APNIC Secretariat > 1. APNIC’s Understanding of the Proposed Policy > This Proposed Policy would require that APNIC revoke the RPKI certificate for > any Self-Hosted Certification Authority(CA) that has not updated their > manifest or Certification Revocation List(CRL) for longer than 2 months. > As Months do not have a fixed number of days, APNIC will use 60 days as the > threshold rather than 2 months. > Once a Self-Hosted CA has been revoked, it can be recreated through the > normal processes as listed in the last paragraph of > https://www.apnic.net/community/security/resource-certification/. > It is the Secretariat’s understanding that this will not invalidate a > Self-Hosted CA’s RPKI objects and in particular ROAs, as the CRL and Manifest > in the publication point of the CA would have expired before the 60 day > period has passed. > The Policy Proposal does not target the CA’s of the National Internet > Registries (NIR) and is targeting the persistent non-functional CAs.The > Proposed Policy text uses the term “Delegated CA”, which is referred to in > the APNIC Certification Practices statement as “Self-Hosted”. These terms are > interchangeable and can be updated during the editorial and comment > process(APNIC-112)The Secretariat also notes that there is a similar proposal > in RIPE with a proposed 90 day threshold. > 2. Impact of Proposed Policy on Registry and Addressing System > No Impact to the Registry and Addressing System > 3. Impact of Proposed Policy on APNIC Operation/Services > Due to the low number of Self-Hosted CAs within the APNIC service region, and > the unlikely nature of there being a significant number being added the > following impacts could be observed: > > > Software:Update systems to: > > > Monitor Manifests and CRLs published be each Self-Hosted CA at a nominated > interval > > > If APNIC is unable to discover and validate a Self-Hosted CA’s current > Manifest and CRL for more than 60 days, that Self-Hosted CA will be removed > as a child and it’s resource certificate will be revoked by the APNIC Parent > CA > > > Before removing the Self-Hosted CA, warning emails will be sent to the known > contacts of the Self-Hosted CA. > > > > > Member Services:The Secretariat anticipates a slight increase in the number > of requests from non-functional CA operators. > > > 4. Legal Impact of Proposed Policy > If this policy proposal is accepted, APNIC will be required to revoke the > certificates of certificate holders who chose the Self-Hosted CA setup in > instances where their Manifest and/or CRL have not been updated for a period > of longer than 60 days. > APNIC will need to update APNIC Certification Practices Statement (CPS) to > encompass the Proposed Policy requirements. > APNIC will need update the RPKI Terms and Conditions to encompass the > Proposed Policy requirements. > 5. Implementation > There is a medium impact on software and legal teams, and if this proposal > was to reach consensus, implementation time frame would be approximately 3 > months subject to the call for editorial comments period. > > _______________________________________________ > SIG-policy - https://mailman.apnic.net/[email protected]/ > To unsubscribe send an email to [email protected] _______________________________________________ SIG-policy - https://mailman.apnic.net/[email protected]/ To unsubscribe send an email to [email protected]
