[address-policy-wg] Legal counsel on 2008-08 (Initial Certification Policy in the RIPE NCC Service Region)

Hi,

On Wed, Jun 1, 2011 at 5:04 PM, Sander Steffann <sander at steffann.nl> wrote:
> Hi,
>
>> How can the "risk" of the government being minimized or limited? Or maybe
>> being build in such a way that its not easy/possible for government to do
>> damange? (quite impossible task since the government pretty much can
>> do whatever they want when they are in power... and the power are giving
>> to them by the people in most countries)
>
> My personal opinion is that the best way to stop any abuse in the future is to leave open the possibility of reverting 2008-08 in the future when such abuse becomes a reality. And we already have that possibility already: a proposal to withdraw or change a policy will always be handled according to the PDP (Policy Development Process). If things go really bad we can change the policy, the NCC can shut down the CA and all certificates can be withdrawn. The end result will be the same internet as we have today: one without (valid) certificates for resources. As long as the certificate system doesn't get abused we get to enjoy the benefits...

> It will take some time (it can be done in about 10 weeks) to do this should the need ever occur, but as this is a last-resort exit strategy I think this is acceptable. Is this an acceptable solution for everybody?

No.
  First and foremost I do not want a hierarchical, centralized routing
control infrastructure on the Internet. I think the bad outweigh the
good by far.

I do not oppose a fully decentralized secure/trusted routing, but by
design, my peers should provide me this information. No single
authority should be allowed to speak on behalf of others, unless
*they* grant that power to it. And for this, the core issue to solve
is resource holder/ownership identification -- which seems to me to
contradict the current RIR model.  And this tells me that we have a
much, much larger problem at our hands for the future, made blatantly
evident by these debates.
  By extension, this means that the RIPE NCC cannot run a trust anchor
in the intended way, and there should be no deployed technology in
routers supporting a trust anchor such as the proposals today in the
first place, since it invites abuse and censorship even if the RIPE
NCC itself does not run one, because someone else could.

If, for argument's sake, doing the right thing is impossible, and
consensus really is that doing something is better than doing nothing
in this matter, the RIPE NCC should have very clearly defined (but not
limited-to) set of rules for when the hierarchical, centralized
routing control infrastructure self-destructs *up front*, such that it
would be pointless to attempt to abuse it in this way.  This suggests
that the "self-regulation" we perform, overrules law, since abusive
laws is what we fear.  Additionally, since the attack will be on the
integrity of registry itself, this essentially means we need a
complete fail-over registry...
If you think this can work, then this may be a useful approach. :)

>> ... and yes, the problem are there on the hijack side, don't think many
>> disagree on that..
>
> And I would really like to get a solution for this problem, because I am much more afraid of IPv4 address space hijacks once the NCC IPv4 pool runs out...

I'm not afraid at all. It's quite easy to detect incorrect origins
today, not sure why that would change. Run-out suggests further
incentives to ramp up the traditional IRR filtering. (I'm not
suggesting IRR filtering is the optimal solution to securing routing
on the Internet, but that should be pretty obvious given what I wrote
above.)

Increased censorship is a clear and present danger. It's our duty to
confront this danger wherever we can.

Best,
Martin