[ncc-services-wg] Divergence of RIPE / RIPE NCC policy

On 18/03/2013 23:31, Nick Hilliard wrote:
> On 14/03/2013 11:41, Andrew de la Haye wrote:
>> Some feedback has pointed out the lack of RIPE Policy on this issue. At
>> this time, the RIPE NCC is requesting feedback on whether or not resource
>> certification should expand beyond a RIPE NCC member service. Discussions
>> about potential RIPE Policy, should this happen, can take place via the
>> appropriate channels.
> I've been trying to figure out a diplomatic way of re-approaching this
> issue, but inspiration has not happened, so the direct way will have to do.
>
I think that your email is perfectly diplomatic and I'm going to try to 
respond to it.
> I'd like to ask for feedback from the RIPE Chair about whether he feels
> that bottom-up policy is achieved when it is appropriate for the RIPE NCC
> to create its own policies in situations where the RIPE Community feels
> that the topic is sufficiently divisive that they cannot form consensus.
> And if it is appropriate for the RIPE NCC to do this, whether there is any
> point in continuing to have a RIPE Community and a policy development process.
This response isn't strictly speaking an official one. However, as one 
of the authors of the policy proposal in question, and as Chairman of 
the RIPE NCC board feel I have a certain amount of personal 
responsibility for the whole sorry business around certification. 
Perhaps I can explain my own reasoning, and perhaps the whole process 
will prove cathartic and I'll be able to start sleeping at nights again.

Way back in 2006ish the RIPE community and RIPE NCC pulled together the 
Certification Authority Task Force (CATF) which had representation from 
the NCC and the community and which had the task of looking at 
Certification, its effects on the community and its effects on the NCC. 
The NCC did a lot of work, mainly on looking at business processes and 
the effects that certification would have on this, but also did some 
development work to see what the software might look like. The CATF 
reported regularly back to the community at RIPE meetings and via email 
and the community appeared to be generally in favour of the work (at 
least no or few objections were raised). Other RIRs, most notably APNIC, 
concentrated on the software development side and APNIC in particular 
produced a full blown implementation which they made available to their 
community. The RIPE NCC was continuing to work on business processes and 
eventually reached the stage where they felt that they had a 
sufficiently solid framework to start development of trial software. 
This was notified to the community at a regular report of the CATF, and 
certification activity was notified to the RIPE NCC membership through 
the Activity plan. Again, no objections were raised and informal 
approval from the community was given to continue with the work.

Work started and trial software was developed and reported on to the 
community. The community (and membership) gave informal approval for 
operational software to be developed and funds were committed. At the 
same time, and as its final task the CATF wrote a policy proposal 
(2008-08) to formalise the support from the community. Up to this point, 
no objections had been received.

2008-08 started to make its way through the PDP and reactions were 
initially reasonably in favour. Objections mostly centered around the 
limited proposed life span of certificates and the fact that LIRs who 
failed to pay their membership fees might find themselves without valid 
certificates for their address space. Changes were made to the policy 
proposal to try and accommodate this but there was general agreement 
that certificates should be roughly tied to the commercial arrangements 
between the LIR and the RIPE NCC. Meanwhile work continued on the the 
development of the certification software as detailed in the activity 
plan. Eventually a form of the proposal was developed which seemed 
satisfactory to everyone and the policy moved through to the review phase.

At this point, things started to go wrong. A small but vociferous group 
raised issues about the ability of certification and ROAs in particular 
to enable the RIPE NCC (and by extension, the Dutch government) to 
"switch off the internet". These concerns are perfectly valid but do 
depend on balance of probability arguments. In my opinion the PDP 
handles this sort of of argument very badly: it assumes that all 
discussion can be rationally  argued and arguments  of the form of "if 
condition A were to pertain then B will happen and B is undesirable, but 
the probability of A happening is a matter of opinion, and opinion 
varies wildly" don't enter into it. The fact that the arguments were 
only raised at the review stage didn't help either. Most of the 
proponents of the proposal had long lost interest in re-stating 
arguments that had been fought and won many months or even years 
previously and the discussion started to spiral into destruction. The 
CATF had long disbanded and as the only member with my name on the 
policy proposal I was left holding holding this particularly unpleasant 
orphaned child. I could see no approach but euthanasia and I reluctantly 
withdrew the policy. This was *my* decision, not the Board's and not the 
RIPE NCC's.

However, this now left the RIPE NCC in a difficult position. They had 
spent some hundreds of thousands of euros on work which the community 
had assured them it wanted and which the community now was refusing to 
support. The membership were now being faced with the nightmare that 
worries me continuously: that the community asks the NCC to do something 
which has serious financial implications for the membership and for 
which there is no means, under the PDP, of refusal. Under the 
circumstances, the board took the only course sensibly available to them 
and asked the membership how they wanted to proceed: did they want to 
continue with certification work (having already spent a substantial 
amount of money) or did they want the work to stop? A further option of 
continuing but without the ability to generate ROAs (which is what gives 
the ability for the certification authority to affect routing) was also 
offered.

You all know the outcome. The membership voted to continue the work and 
to continue to offer ROAs. The majorities were much slimmer than I would 
have liked to see, but they were majorities. And the RIPE NCC continued 
forward with certification work.

This is my memory of the events as they happened. The chronology may be 
slightly off but the events are roughly in order.

What have we learned from this? Well, there are a number of important 
lessons:

1. Don't accept informal expressions of "yes, let's try doing that" from 
the community, especially where substantial sums are involved.

2. Make sure that for really substantial changes in policy, community 
approval is obtained *first* (although there is the caveat that this may 
add unacceptable delays to the work to be done)

3. Try and make sure that the community is fully aware of the 
implications of what they are proposing

4. And finally don't equate lack of response with approval

We have been bitten by 3) before now. Proposal 2007-01 caused an 
increase in operating costs of 17% when it was implemented and as a 
direct result, the NCC and board implemented a policy of delivering an 
impact analysis on all policy proposals. 1) and 2) haven't really come 
up since 2008-08 but be assured that the NCC and board have been bitten 
once and are now twice shy.

So, after this long email, what do I say to your original question? 
Well, I passionately believe (and so does the Board and the NCC) in the 
bottom up process. I believe that it is vital to the growth and 
development of the internet and although it has its dark side, I don't 
think we've come up with anything better, so far. However, we have to be 
aware that it can sometimes move with glacial slowness and the RIPE NCC 
is running a commercial operation, with bills and staff to be paid. 
Sometimes a decision has to be made based on community "feeling". And as 
any working group chair will tell you, working out what that is is why 
they are paid the big bucks... In this case, having got a go ahead from 
the membership, however lukewarm, it didn't seem a large step to add 
certificates for PI as well as PA.

Certification is one where the decision might have been made differently 
if that measure of feeling had been different, if people had looked up 
for their laptops in the working group and actually debated the issues 
*early on*. As it happened, the real debate only started to happen years 
after the money had been spent, and the membership (whose money it is) 
deserved a say in how to proceed. That's why I handled it like I did. 
And in similar circumstances I'd probably do it the same way again.

Now, I'm going to have a nice cup of tea and get back to my day job.

Nigel