So need to form a policy to make RIPE members informed about any requests, and enforce it to be included into RIPE NCC rules of conduct. Best regards, Ivan Kazmin ________________________________ От: members-discuss <members-discuss-bounces@ripe.net> от имени Max Tulyev <maxtul@netassist.ua> Отправлено: 26 октября 2020 г. 13:04:20 Кому: members-discuss@ripe.net Тема: Re: [members-discuss] Injection of false RPKI ROAs Dear Maxi, technically - yes, they can. For me, that is the main disadvantage of any centralized PKI system. On 23.10.20 14:37, Maxi wrote:

Dear fellow Members, Dear RIPE Team,

We currently discuss a somehow strange thing.

Could the RIPE NCC be forced to inject false ROAs (e.g. for censorship)? If so, is there any legal framework for it?

Does the RIPE NCC have any information on attempts?

Best, Maxi

Impressum: Zeug e.K. Hochstraße 15 92637 Theisseil

Inhaber: Maximilian Schieder

Telefon: 015678 572314 E-Mail: maxi@zeug.co <mailto:maxi@zeug.co>

Registergericht: Amtsgericht Weiden in der Oberpfalz Registernummer: HRA 2907

_______________________________________________ members-discuss mailing list members-discuss@ripe.net https://lists.ripe.net/mailman/listinfo/members-discuss Unsubscribe: https://lists.ripe.net/mailman/options/members-discuss/maxtul%40netassist.ua

_______________________________________________ members-discuss mailing list members-discuss@ripe.net https://lists.ripe.net/mailman/listinfo/members-discuss Unsubscribe: https://lists.ripe.net/mailman/options/members-discuss/i.kazmin%40corpsoft24...

Dear Athina, On 27.10.20 18:06, Athina Fragkouli wrote:

ROAs are created and maintained by resource holders for the Internet number resources they hold. Any changes to ROAs are automatically updated and reflected in the repository. The RIPE NCC has no involvement here and does not need to "inject" ROAs on purpose [1]. We have never received a request to "inject" or modify ROAs. You can see how we would respond to such a request in "Handling Requests for Information, Orders and Investigations from Law Enforcement Agencies" here: https://www.ripe.net/publications/docs/ripe-675 <https://www.ripe.net/publications/docs/ripe-675>

It does not mean that these type of requests will not be received in future. Yes, the majority of legal authorities do not know anything about RPKI. Yet. When they learn something about, they for sure will try to use it, even not fully understanding it. This can result in global Internet disruption (if RPKI will be fully implemented whenever).

According to this process, we will only comply with a request if we receive a Dutch court order served by a Dutch law enforcement agency, or a binding order from law enforcement or regulatory authorities that are operating as required under Dutch criminal or administrative law. Each order will be evaluated on its own merits. If an order is considered illegal or of a non-obligatory nature, the RIPE NCC will not comply with it and will challenge it either before the authority giving the order or before a civil or criminal court, depending on the specific circumstances.

If an order is considered illegal or of a non-obligatory nature - BY WHICH PERSON? By RIPE NCC staff? Let me remind, we are talking about court or other government authority order. I prefer to build the whole world critical infrastructure that can't be get down by such way. Distributed blockchain for example is a good example for publish keys and signatures... But does somebody care?