Nick, I concur with your text and the intent behind this to help clean up the ecosystem. I view this similar to many other registration vs delegation, eg: if you delegate a domain name to servers that don't respond, I would support removing that delegation but not the associated registration. Same for delegated PTR/in-addr services. I like the idea of approximately 3 months but for practical reasons think it could be shorter or left with an advisory range for implementation. You want enough to cover a short leave of absence/august in Europe but not so long that the domain names could expire 😊 I would also provide some guidance of automatic removal of delegations if the domain registration fails to exist after 7 days. I see this as common sense but likely worthwhile to write down to avoid the principle of least surprise. - Jared Sent via RFC1925 compliant device
On Feb 25, 2025, at 5:10 PM, Nick Hilliard <nick@foobar.org> wrote:
If RIPE NCC is unable to discover and validate a Delegated RPKI Certification Authority's (CA's) current Manifest and CRL for one hundred consecutive days, that Delegated CA's resource certificate shall be revoked by the RIPE NCC. RIPE NCC shall make reasonable efforts to discover new Manifests, to notify the Delegated CA operator if a current Manifest and CRL cannot be validated, and to notify the operator if the delegation is revoked."
Minor nit: it would be more normal to use calendar months for longer time periods instead of base-10 numbers of days. I'd suggest reconsidering the 100 days thing, especially if there's a gradual response approach implemented, e.g. 1 month between notification, warning and revocation.