Dear all, On Mon, Apr 14, 2025 at 01:19:43PM +0000, Job Snijders wrote:
To facilitate research and policy development in the space of non-functional RPKI Certification Authorities, a new feature was added to the rpki-client validator implementation. Rpki-client version 9.5 now emits easily parsable indicators listing all valid & non-revoked RPKI CA certificates for which currently no valid Manifest is available.
I created this hourly updated retro-looking page with rpki-client's new "non-functional CA detection" functionality & data from rpkiviews.org: https://console.rpki-client.org/nonfunc.html The page shows all the world's non-revoked non-functional CAs, enriched with timestamps indicating when the (since then continuous) downtime started (from the perspective of console.rpki-client.org). I emphasize that this listing is specific to console.rpki-client.org because - when it comes to automated revocation policies - I think it is important to corroborate multiple validator vantage points to ensure local network connectivity issues are not the cause of the CA being flagged as non-functional. The policy proposal at hand only targets Delegated CAs within RIPE NCC's revocation scope, those entries can be recognized by the "Authority info access:" value being "rsync://rpki.ripe.net/repository/aca/KpSo3VVK5wEHIJnHC2QHVV3d5mk.cer" FREQUENTLY ASKED QUESTIONS ========================== Q: Am I in trouble? I see my ASN or IP prefix listed in this overview! A: RPKI CA's being non-functional for extended periods of time is a nuisance: broken CAs cause RPKI Cache Validators to emit lots of syslog messages, and resources are wasted in attempting to synchronize to the non-functional CA's repository. Do your part now by fixing your CA or by voluntarily revoking it! :) Q: Should other RIR communities also start discussing the automatic revocation of RPKI CAs which have continuously been non-functional for extended periods of time? A: Yes, absolutely! Q: Has RIPE NCC assigned a policy proposal version number yet? A: nope... Kind regards, Job