[address-policy-wg] 2008-08 (Initial Certification Policy in the RIPE NCC Service Region) going to Last Call

On Tue, May 03, 2011 at 03:42:04PM +0200, Erik Bais wrote:
>The question is not what you are planning to do within your network with
>this or how paranoid you plan to be in regards to the tools around this.
>If you don't want to use the provided tools from RIPE NCC, run your own CA.
>If you don't want to use RPKI, fine as well, no-body is forcing you.

There is no policy that determines that "everything longer than a /24 
is not routable" either. If all your transits insist on rpki-signed 
advertisements, it becomes de-facto mandatory.

The fundamental issue with this proposal is that it, like the block-lists
that some governemnts dream of, establishes an infrastructure that is 
open to abuse. Everything that *can* be abused, no matter how well-
intentioned it may have been, *will* be abused. And the last thing, in my 
opinion, that the DFZ needs is *another* attack vector.

Kind Regards,
Sascha Luck