Hi Theo,
On 7 Aug 2025, at 16:04, Theo Buehler <tb@theobuehler.org> wrote:
Hi
https://www.ripe.net/community/policies/proposals/2025-02#impact-analysis
I'm somwehat confused about this paragraph:
It is the RIPE NCC’s understanding that this proposal, if accepted, will require the RIPE NCC to revoke the RPKI certificate for any Delegated Certification Authorities (CAs) that have not updated their manifest and/or Certification Revocation List (CRL) for longer than three months.
This sounds as if the three months (90 days) are counted starting from a manifest's or CRL's thisUpdate, whereas an ulterior paragraph seems to imply that the nextUpdate is intended:
From this, the RIPE NCC interprets that if the RIPE NCC is unable to discover and validate a Delegated CA's current Manifest and CRL for more than 90 days, that Delegated CA will be removed as a child, and its resource certificate will be revoked by the RIPE NCC parent CA.
The latter interpretation makes more sense to me and perhaps the first paragraph should insert "after expiry" at the end or something with an equivalent effect.
It was not our intention to introduce an inconsistency. The first paragraph was just intentionally a bit lighter on detail to make it more readable to readers who are less well versed in RPKI. That said, I think your suggestion to insert "after expiry" at the end make sense. Thank you for pointing this out! Kind regards, Tim Bruijnzeels RIPE NCC
----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/routing-wg.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/