Dear all, To facilitate research and policy development in the space of non-functional RPKI Certification Authorities, a new feature was added to the rpki-client validator implementation. Rpki-client version 9.5 now emits easily parsable indicators listing all valid & non-revoked RPKI CA certificates for which currently no valid Manifest is available. In the rpki-client JSON output the 'metadata' object now contains a 'nonfunctionalcas' gauge metric type which represents the number of non-functional CAs. The 'nonfunc_cas' object contains objects detailing the Certification Authority's certificate location, the name of the trust anchor to which the CA is subordinate, the location of the CA's repository, the SubjectInformationAccess of the Manifest, and the CA's key identifier. An example is available via https://console.rpki-client.org/rpki.json.gz The proposal to the RIPE community to instruct RIPE NCC to revoke persistently Non-functional Delegated CAs only applies to CAs which are within RIPE NCC's revocation scope. These CAs can be identified combing the following two jq query filter components: select(.ta =="ripe") and select(.location | startswith("rpki.ripe.net")) Every time rpki-client is executed, the "nonfunc_cas" object is populated with a listing of CAs which are non-functional at that particular moment. By repeatedly executing rpki-client and tracking the state of the "nonfunc_cas" object over time, one can assess whether CAs are persistently broken, unstable, or continuously reliable. Going forward, the JSON in the http://www.rpkiviews.org/ tarballs also contains an 'nonfunc_cas' object. This should make it easier for folks to compare notes on whether CAs are "down for everyone or just me". Upgrading is recommended, the rpki-client 9.5 release notes are here: https://marc.info/?l=openbsd-announce&m=174441271311263&w=2 Kind regards, Job ### how many CAs are non-functional? $ curl --compressed -s https://console.rpki-client.org/rpki.json | jq '.metadata | {'time': .buildtime, 'nonfunctionalcas': .nonfunctionalcas}' { "time": "2025-04-14T12:23:49Z", "nonfunctionalcas": 113 } ### show all non-functional CAs, colorized by jq: $ curl --compressed -s https://console.rpki-client.org/rpki.json | jq '.nonfunc_cas' ... ### show one random non-functional CA subordinate to RIPE NCC $ curl --compressed -s https://console.rpki-client.org/rpki.json | jq '[ .nonfunc_cas[] | select(.ta =="ripe") | select(.location | startswith("rpki.ripe.net")) ][0]' { "location": "rpki.ripe.net/repository/DEFAULT/w9a4Z_-YTcfF6szS2j-Szzxnfas.cer", "ta": "ripe", "caRepository": "rsync://rsync.paas.rpki.ripe.net/repository/c58479df-f5b7-4453-92bf-de1f61b3d4b0/0/", "rpkiManifest": "rsync://rsync.paas.rpki.ripe.net/repository/c58479df-f5b7-4453-92bf-de1f61b3d4b0/0/C3D6B867FF984DC7C5EACCD2DA3F92CF3C677DAB.mft", "ski": "C3D6B867FF984DC7C5EACCD2DA3F92CF3C677DAB" } ### show the locations of the Manifests of currently non-functional CAs relevant for this policy proposal: $ curl --compressed -s https://console.rpki-client.org/rpki.json | jq '.nonfunc_cas[] | select(.ta =="ripe") | select(.location | startswith("rpki.ripe.net")) | .rpkiManifest' "rsync://rsync.paas.rpki.ripe.net/repository/e292649c-2f1e-4e3a-9731-5b4a6e276845/0/B2E4D3DDAFC4F7BFBA5DB607A033F362108CA850.mft" "rsync://rsync.paas.rpki.ripe.net/repository/32bfd357-d83b-400a-8c46-4fbd1119f4a3/2/C5557C97D7BBFF47CA22AD5FB9F0589FAAF159BD.mft" "rsync://rsync.paas.rpki.ripe.net/repository/47cfdd4f-7698-4317-be26-f1102186ef1b/0/97C175005F7AB9B69DCDB4F3A608FC78FE5AA7C7.mft" "rsync://rpki.netiface.net/repo/Civilized/0/593E81C92EF98F9130AC43641AAE8022546E9F4A.mft" "rsync://rsync.paas.rpki.ripe.net/repository/74c1572c-e97c-4100-aeff-1373f4e9433a/0/277DB6AB779E3D5333C97AB2285B988001C5E0C6.mft" "rsync://rsync.paas.rpki.ripe.net/repository/bcbbf0bf-a2e0-42a4-8293-711496eb66d2/0/BEEB4B595E9E084649D0ABE5B77B8DFF736D03F3.mft" "rsync://rpki.folf.systems/repo/Folf-Systems/0/E883D1D2313A14E8659F604A65D65CE39A3F826B.mft" "rsync://rsync.rpki.tianhai.link/repo/TianhaiRpki/1/911E180145E68F7315DA3AB2200D186671FFE75B.mft" "rsync://rsync.paas.rpki.ripe.net/repository/378e5eb0-c019-4ff5-b260-4e1638121055/0/E9B75912FCA789B86CCEA3B1E09F1B5BFA84B503.mft" "rsync://rsync.paas.rpki.ripe.net/repository/240ce547-40ef-4f04-95be-088f3bc02503/0/10DAC6AAF940C7C5FF1B83ECA3526D46BA475093.mft" "rsync://rsync.paas.rpki.ripe.net/repository/32bfd357-d83b-400a-8c46-4fbd1119f4a3/2/4AFA0771812E6637D8B18A1FF50F41F3498669A9.mft" "rsync://rsync.paas.rpki.ripe.net/repository/330c7f5c-faae-4354-b920-e20bd0425bb9/0/2E1EDE80640C9F484F75DD39C13ED6C70E074A03.mft" "rsync://krill.ca-bc-01.ssmidge.xyz/repo/SsmidgeLLC/0/5336A1DC9C53858F5D437551051BB214BF1C5ABB.mft" "rsync://rpki.0i1.eu/repo/h45/0/7C5CDC3FD51653B5120B4EBEDD2FA382240A5868.mft" "rsync://rsync.paas.rpki.ripe.net/repository/b64c075f-eb10-4426-bb40-3a833fe0f9fb/1/7DDB99F73E7B582C352890E3AD5785D3679F8891.mft" "rsync://rsync.paas.rpki.ripe.net/repository/09f71023-9049-4ecb-a8a5-7f08d8ead676/0/5F01AE1836D7DA777EBB90A1EA97D37C300118E8.mft" "rsync://rsync.paas.rpki.ripe.net/repository/fd30a818-e105-413c-9d00-d36a887eff80/0/1C808584929EC643220D69A77E5E050E1D09D969.mft" "rsync://rsync.paas.rpki.ripe.net/repository/30df2d1b-1498-4686-91bb-64b582010328/0/D6424E531A5AD6AC80AF20F0D6DC2CB187322EC1.mft" "rsync://rsync.paas.rpki.ripe.net/repository/509e44a5-77ff-4426-a7ff-47aed75c6546/0/EF88D7BACD28A6C393BCCC11DC64DDE77B7EC49B.mft" "rsync://rpki.netiface.net/repo/Civilized/0/C5947ECC8683AD0DBCD95A8F332F0CAA13574790.mft" "rsync://rsync.paas.rpki.ripe.net/repository/c5592a54-4035-4970-86dc-3d1803b7b60f/0/945031CB22A35CDB6CE579CB70270EA7B3A89A27.mft" "rsync://rsync.paas.rpki.ripe.net/repository/d2288b0e-a1d0-4c1a-8ced-a057a6076a7f/0/AB4C1697B18C3C715553206C4C39BBE9E52F658B.mft" "rsync://rsync.paas.rpki.ripe.net/repository/b277449f-31b2-4578-a872-4b6e1340504f/0/036E2F88E56C86A436A3C4C7AB770FA78BC686CA.mft" "rsync://rpki.zappiehost.com/repo/TERITUM_UID_18858/1/91EFE7B33A66C7FDBB711F76D87E9353E530425B.mft" "rsync://oto.wakuwaku.ne.jp/pki/202400/2/93315FBBDD477E024849BB6F66D8FB94395F6350.mft" "rsync://rsync.paas.rpki.ripe.net/repository/22a80682-c54c-4d5a-9456-b23925309732/1/6A3130ACFBFBA9017ADDEF637ACD312FC763829A.mft" "rsync://pub.krill.ausra.cloud/repo/Ausra-Systems-Internal-CA/0/B32E3E3753E1C34EB8EC09DDA363F06C67B7DB8A.mft" "rsync://rsync.rpki.tianhai.link/repo/TianhaiRpki/0/3CDEC27384AADE5CA0809FD6F16D2BCA18BEB659.mft" "rsync://rsync.paas.rpki.ripe.net/repository/137bbed0-a12b-417b-a973-567f41a320d1/0/6F8A258586E22F8D1942882B7F8B9C2CE885D805.mft" "rsync://rsync.paas.rpki.ripe.net/repository/d08bc49d-0338-4b5f-8204-0004a66105c9/0/5511F6D7DEF4C0FFB6E2B3B3F0C4455DCD14C160.mft" "rsync://rsync.paas.rpki.ripe.net/repository/5440d602-b0ab-436f-a957-dfb487c66bb8/0/D490F856F80E807B7180EF46E3048FC5F28CF832.mft" "rsync://rsync.paas.rpki.ripe.net/repository/ad0eb3cf-9a1b-4112-a607-ae98c2ab12a7/0/52F4CAA87D081FC25DDF117BE8A9FE990AA120BC.mft" "rsync://rsync.paas.rpki.ripe.net/repository/98826bce-854a-48c6-86af-93cf28393576/0/ADAA2DF4F9F7F1B10330C3AB0CE4598D59DFFDA0.mft" "rsync://rsync.paas.rpki.ripe.net/repository/4bfa7a9f-28d3-45b0-a839-a57519ecaeae/0/C3F4E167A6B1633379B9981D8A565B7AFB81DC90.mft" "rsync://rsync.paas.rpki.ripe.net/repository/2feab205-d14b-4a2a-a38a-6be9ee483ace/0/EC6C7177521BD791A07FA0AA12E710B684F06985.mft" "rsync://rsync.paas.rpki.ripe.net/repository/9af6c38e-8050-483d-a2cb-a61c9e2aa468/0/6827F6047A800EBE4B0DC6299C084EF05E0AAADE.mft" "rsync://rsync.paas.rpki.ripe.net/repository/d88b854e-092c-4d79-ac06-af380b08d12b/2/FD7A8C110A628469378572A2918653F6F8D726D2.mft" "rsync://rpki01.hel-fi.rpki.win:44595/repo/as60900/0/C89B31081D5BDD08D18FBCD8FABEE81C4FB05146.mft" "rsync://rsync.paas.rpki.ripe.net/repository/8188cf9f-0de9-451f-b935-b3ff1d87a666/1/B340A32376D21B74320995356EBA85B40653E672.mft" "rsync://rsync.rpki.tianhai.link/repo/TianhaiRpki/2/3E32DA3B9DC955F96CF1BF58C5748B7B80FCB798.mft" "rsync://rsync.paas.rpki.ripe.net/repository/3c8e4e11-3aca-4305-acd4-f05e6c909115/0/B8288EA9E3D67DC3D38FA775181C4B2C87729BDF.mft" "rsync://rsync.paas.rpki.ripe.net/repository/c99265ef-22a9-4100-a23d-51a9d9feeb7d/3/7B08E26EA9F3D825ECCD64E5FDC355C852A7AF54.mft" "rsync://rsync.paas.rpki.ripe.net/repository/c99265ef-22a9-4100-a23d-51a9d9feeb7d/0/D93EF0701E8CA6ED0A0E6D46A38B8D8CF3091285.mft" "rsync://oto.wakuwaku.ne.jp/pki/simple/0/398357E569F1D4C03D26A7636E00D36AB796A703.mft" "rsync://rsync.paas.rpki.ripe.net/repository/ad0eb3cf-9a1b-4112-a607-ae98c2ab12a7/3/FC5EF1F664F6BB0E1AF7BDA53D67E0589B895E1F.mft" "rsync://rsync.paas.rpki.ripe.net/repository/c58479df-f5b7-4453-92bf-de1f61b3d4b0/0/C3D6B867FF984DC7C5EACCD2DA3F92CF3C677DAB.mft" "rsync://rsync.paas.rpki.ripe.net/repository/a4c6bdc5-eb4e-4b6e-95f6-62790e57f3be/0/9DA23CC2CF88AE4585CF8AAF9A714A9AD2E6F198.mft" "rsync://rsync.paas.rpki.ripe.net/repository/beb8ea69-d68a-4a79-bb5d-68342170ba31/0/59730750F2A855056056BA7CF74A3E27B63A5A49.mft"