[address-policy-wg] 2008-08 (Initial Certification Policy in the RIPE NCC Service Region) going to Last Call

Mikael,

On Thu, May 5, 2011 at 4:21 AM, Mikael Abrahamsson <swmike at swm.pp.se> wrote:
> On Thu, 5 May 2011, Florian Weimer wrote:
>
>> But why would this be a bad thing, as long as the required legal process
>> is followed?
>
> The problem here is that all of a sudden dutch courts might have direct
> operational influence in all of the RIPE region.
>
> So basically it might make sense to bake a safety-valve into the system so
> that it's fairly easy to replace RIPE with something else in case meddling
> starts to happen. In DNS, one can choose not to use a US based domain name
> or registrar to avoid what's going on in DNS there, what would the similar
> action be in case the dutch legal system starts doing things we don't agree
> with, without turning off RPKI totally?

While I appreciate the idea of safety-valves and a sort of reactive
safety process, is it not inherently better to implement them from the
beginning?

Ie, your idea about placing multiple trust anchors in multiple
jurisdictions from the beginning.

But you still have not solved the core of the problem in this way:
>From where will they get their prefix information?

Since you're not suggesting any modifications to the current internet
numbers role of the RIPE NCC, the information is going to be sourced
from RIPE's DB somehow, anyway.

Do you suggest independent and open review of all changes of data
before installation in the 2nd-tier trust anchors?
Essentially a human-involving process will absolutely be required
before a revocation, or change to $FOO, of a resource and its resource
certificate will be allowed to spread from the source (RIPE's DB) to
its 2nd-tier trust anchors.

Who will vote on whether a change is OK or not? A pretty decent amount
of persons will have to be involved to guard well against abuse (think
EU/EC/EG court decisions / laws.)

You must assume from the start that the legal process at the source is
flawed -- how do you protect the mirrors from abuse?

And if the legal process at the source is broken, how do you move the
source IRR information away from it?

Or, are you suggesting multiple independent IRRs covering the same
data, where a user now has to keep individual and separate
communications with each and one of them to update the IRR data,
negotiate change of ownership of a resource, etc.

I do appreciate a very useful discussion on this topic and seeking
constructive solutions to the concerns outlined.
And for the record I prefer making it completely pointless for someone
to even consider sending black helicopters (this can be done), than to
consider how to best protect oneself from them. :)


Note well that my voting / change process questions raised above apply
equally well whether there is only one IRR and one trust-anchor at
RIPE NCC, or multiple 2nd-tier ones.

Kind Regards,
Martin