This all sounds entirely reasonable.

I'd love for the NCC to document their solution in a similar fashion if/when this proposal is accepted.
-- 
Tom Strickx
Principal Network Engineer
AS13335 - Cloudflare


On Fri, Jun 6, 2025 at 2:31 PM Job Snijders <job@sobornost.net> wrote:
On Fri, Jun 06, 2025 at 01:29:14PM +0100, Tom Strickx via routing-wg wrote:
> Happy to see this proposal!
> Fully in agreement with Nick that bogging down the policy with
> implementation details is a bad idea.

Thanks!

> It might be relevant to operators to tie down the "unable to discover"
> component. What is considered "reasonable efforts" in this context?

Speaking as RPKI operator I'd expect RIPE NCC to make reasonable efforts
to discover new Manifests, for example, by corroborating information
from multiple vantage points.

The NCC could run a handful of validator instances (produced by
different vendors) in different geographical regions behind different
providers, then when a 100% of those instances report the CA was
non-functional for 100% of all indidividual measurements for a 3+ month
period, conclude the Delegated CA is kaput.

5 instances times 4 runs per hour times 3 months = 44,640 measurements.

If the NCC makes more than 44,000 attempts to discover+validate a CA's
Manifest from more than 4 countries, I'd say that is more than
reasonable.

Should this policy proposal advance, RIPE NCC themselves can probably
shed more light on how they'd approach measuring whether a CA is
non-functional or not.

Kind regards,

Job
-----
To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/routing-wg.ripe.net/
As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings.
More details at: https://www.ripe.net/membership/mail/mailman-3-migration/