[address-policy-wg] the implications of RPKI certificate revokation

On 05.05.2011 09:45, Jim Reid wrote:
> On 4 May 2011, at 17:24, Brian Nisbet wrote:
>
>> You seem to be imagining a scenario where a national governement
>> would just ring up the NCC and say, "revoke these certs." I have seen
>> no evidence to suggest this risk is anything close to real.
>
> I suppose this depends on the definition of "real" and "evidence" Brian.
>
> If the NCC gets told to revoke a cert -- eg via a Dutch court order or
> equivalent -- it will have to do that. It would be sensible to assume
> that well-funded and/or litigious organisations might well be minded
> to pursue that avenue if they think getting a cert revoked will either
> disrupt or shut down some activities they dislike. Or bury their
> opponents in legal costs before it gets to the point where a court
> order gets issued. Certificates for routing will provide another
> vector for these sorts of layer-9 and up attacks. IMO it's foolish to
> assume or pretend otherwise.
The question is whether there is some other way of ensuring routing
consistency ... But given the current track record of many countries'
legislative and legal developments, e.g. "hostage-taking" of domains in
the US, internet filters in many European countries, etc., I must concur
that the threat to the Internet once RPKI is introduced will be very
real ... so, what alternatives can we come up with from a technical
standpoint that is not prone to government or legal pressure?

-garry