[address-policy-wg] 2008-08 (Initial Certification Policy in the RIPE NCC Service Region) going to Last Call

Sascha,

On May 3, 2011, at 8:44 AM, Sascha Luck wrote:
> There is no policy that determines that "everything longer than a /24 is not routable" either. If all your transits insist on rpki-signed advertisements, it becomes de-facto mandatory.

Agreed.

> The fundamental issue with this proposal is that it, like the block-lists that some governemnts dream of, establishes an infrastructure that is open to abuse. Everything that *can* be abused, no matter how well-intentioned it may have been, *will* be abused. And the last thing, in my opinion, that the DFZ needs is *another* attack vector.

At an abstract level, RPKI merely provides a way of validating the contents of the address registration database(s) that is (more) amenable to automation than current systems.  The implication of this is that it will give the signers of resources anywhere in the chain the ability to impose policy on those beneath them in the chain of trust.  In theory, that power exists today, e.g., RIPE could revoke an allocation and remove it from the registration database, resulting in an implicit revocation of all addresses assigned with the address space that had been allocated. I'm not aware of any abuse of the current system.  Is your concern that the new system will make abuse somehow easier?

Regards,
-drc