Dear Jared, others, Thanks for the feedback! On Tue, Feb 25, 2025 at 03:30:41PM +0000, Jared Mauch wrote:
On Tue, Feb 25, 2025 at 12:05:21PM +0000, Job Snijders wrote:
b. Arguments opposing the proposal
* Resource holders might require more than one hundred days to complete the initial Delegated CA setup.
(Counterpoints: initial setup procedures usually only takes a few minutes. Resource holders are free to simply retry the delegated CA setup procedure following automatic revocation.)
Additional opposing arguments to be determined.
I could see some cases where due to political instability where one may not want to automatically trigger this, but it also seems that should the resource(s) come back online re-enabling the delegation shouldn't be too difficult.
We have seen several cases where extended outages due to natural disasters have caused extended duration outages, but a dialogue should be possible to occur prior to this to make a decision.
I can imagine a few other cases where a company may be in receivership but also think these are likely limited enough whereby there would be a chance for discussions on the operational side to give the option to remove the delegation until the delegated CA can be restored or decomissioned.
Allowing for a 100 day period should be ample for most transcient outages. Keep in mind that these delegations _already were non-functional_ prior to revocation. This means that for more than 100 days no ROAs, nor RSCs, nor ASPAs, nor BGPsec router keys could be validated via the CA in question. In other words, even when political reasons cause the extended outage, already during that outage RPKI validators couldn't extract information signed by that CA. The proposal is about cleaning up what's already broken (for very extended periods of time), cognizant that the affected resource holder can always re-instate a Delegated CA setup with just a few mouse clicks in a manner of minutes.
I support this proposal but want to leave some discretion at the hands of RIPE staff to not have a hard timer remove a delegation if it is still in the process of being restored.
Point of clarification: whether a CA ought to be classified as 'non-functional' or 'functional' is not a matter of something being online or offline, but rather "has the CA managed to sign and publish a new Manifest at any point in the last 100 days"? For example, this ancient manifest still is available 'online': $ rsync -t rsync://rpkica.mckay.com/rpki/MCnet/Jp4Tjp_GB5I1RfeaOGhKZNlDmAQ.mft -rw-r--r-- 1,946 2022/03/04 00:27:02 Jp4Tjp_GB5I1RfeaOGhKZNlDmAQ.mft however, the above Manifest hasn't been valid since Fri 04 March 2022 06:27:02 (UTC). The proposal text states that resource holders can just reinitialize the Delegated CA setup process after revocation (or use the Hosted CA setup). So when a delegation 'lapses', the resource holder can easily get things going again following normal procedures. Kind regards, Job