David Monosov wrote: [...] First of all, I appreciate your thoughtful comments, as they touch on a couple of issues I'm having with RPKI (and some others)! A few comments from my end in-line.
There was a time when the last 'R' in 'RIR' stood for 'Registry', and as such the function of RIPE NCC was not profoundly different from the function of a wedding gift registry - convenient means to reduce the embarrassment of a household opening two packages containing two identical toasters when unwrapping gifts.
Today, the last 'R' in 'RIR' is silent, and appears in the minds of some to have been replaced with 'A' for 'Authority'. This is an unfortunate, and I believe, largely unintended development.
Well, at some point in time the AA community started to flock together, to point fingers at the NCC, for doing *too little* checking, and so on.
It appears to me from Nick's last e-mail that there is an idea circulating out there that the current operational practice is the consequence of attempting to fulfill a set of criteria which is necessary to give some legal weight to the process of resource certification, as an obvious and logical extension of the RPKI efforts.
Well, yes, and in some countries (I don't know about the NL, though!) there is law which requires any organisation issuing digital certificates, or using digital sigantures for business porposes, to adhere to (rather strict) boundary conditions.
I don't see any benefit to the RIPE NCC drowning in an escalating bureaucratic horror conjured out of externally placed requirements (whether they are borrowed from the EU e-Commerce directive, or elsewhere), performing mysterious document authentication rituals for the purpose of issuing a certificate of dubious worth, but which in turn is fully compliant with some external set of legal requirements.
Unfortunately, the times where "we" could play while ignoring the legal environment has pretty much gone by :-(
Wearing my professional hat for a moment, I certainly am not paying LIR fees to subsidize the transition of the RIPE NCC into the next VeriSign or Thawte as a general purpose certificate authority, subject to all the environmental pressures such authorities find themselves exposed to.
This is an aspect I'd like to factor out into the separate discussion on the function (and including the credibility) of a Sponsoring LIR. IMHO there's room for improvement here.
To me, RPKI, if done at all (and that is a big "if"), is a technical solution; The "strength" of the input, in terms of identity verification (and the operational procedures which are acceptable to that end) are to be determined ad-hoc by the community through the policy process, and strengthened or loosened as needed to meet policy goals.
We need to stop and consider if RPKI, by necessity, indeed requires a transition from Internet "Registries" to Internet "Authorities", with all that entails -
I think thre's a good reason why the "A" in CA and RA stands for "Authority". If we "just" want a CR adn a RR, then I guess we alreday do have that in place?
and if this is something we are willing to embrace. This isn't an introduction of a new service into a RIR's catalog, this is a paradigm shift. One which we need to concretely address in order to be able to hold a meaningful discussion as to which operational practices are or aren't necessary, and toward what goal.
Wilfried.