[address-policy-wg] [Ticket#2013022101004151] Policy update request on certification of transferred IPv4 allocations

On 27 Feb 2013, at 15:42, Wilfried Woeber <Woeber at CC.UniVie.ac.at> wrote:

> Hi Alex,
> 
> Alex Band wrote:
> 
> [...]
>> As soon as the Registry is updated and the resources are associated with
>> the new holder, the LIR can optionally request a resource certificate for it.
>> This does mean that a transition is not seamless; there is a gap where there
>> is no certificate and no ROA, which has an effect on the RPKI validity state
>> of the associated BGP announcements. More on that below.
> 
> Let's assume that there was a certificate for the full block of the current
> holder. Part of that space moves to a new holder. While it is "obvious", that
> there's no certificate for that space, it would also be "obvious", that the
> encompassing certificate would have to become invalid, e.g. by being revoked
> by the CA. Correct?

No. If an LIR requested a resource certificate, it will at all times reflect the Registry. So if certain resources are added or removed from an LIR, a new, updated certificate is issued automatically to reflect the new situation, without user interaction required. 

So this applies for both parties if they had certification enabled. The only thing the receiving party would have to do is create a ROA for the new address space, to authorise the BGP announcement they will be doing with it. Until that time, the announcement will will remain with the "unknown" state (so NOT invalid).

-Alex