Job Snijders wrote on 25/02/2025 18:40:
I personally think it is helpful for both the community and RIPE NCC to have an inkling of an idea what 'reasonable efforts' might constitute, to shape expectations.
yep, agreed. As I understand it, the RIPE NCC often uses WG discussions to shape their opinions on how to build working procedures.
Secondly in terms of timelines, the NCC will have some form of communication details for the CAs, as part of setting them up in the first place. I'd suggest a graduated approach to this:
1. notification after X months of fresh manifest non-availability 2. warning after Y months 3. removal after Z months
If delegation is removed without warnings, this will invite people to complain.
Sure, but does that need to be part of the policy?
I'd suggest putting in some text to cover this, for example: If RIPE NCC is unable to discover and validate a Delegated RPKI Certification Authority's (CA's) current Manifest and CRL for one hundred consecutive days, that Delegated CA's resource certificate shall be revoked by the RIPE NCC. RIPE NCC shall make reasonable efforts to discover new Manifests, to notify the Delegated CA operator if a current Manifest and CRL cannot be validated, and to notify the operator if the delegation is revoked." Minor nit: it would be more normal to use calendar months for longer time periods instead of base-10 numbers of days. I'd suggest reconsidering the 100 days thing, especially if there's a gradual response approach implemented, e.g. 1 month between notification, warning and revocation.
What's the difference between step 1 and step 2 in your listing?
1. "hey, we've noticed that there's a problem" 2. "this is going on too long. as it has operational consequences for other operators, if you don't fix this by date XXXX, the delegation will be revoked". 3. "still broken, so we've pulled the delegation."
What if the notification emails can't be delivered, should that delay the revocation?
1. it's the responsibility of the resource holder to ensure that their contact details are accurate and 2. no, it shouldn't delay the revocation. There is an option to add delegated CA contact checks into the ARC. I don't know whether this would add enough value to justify it. Nick