<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><br>[Apologies for duplicate emails]<br><font color="#0f61c8"><br></font>Dear colleagues,<br><font color="#0f61c8"><br></font>Since the launch of the RIPE NCC resource certification (RPKI) system on<br>1 January 2011, more than 1,300 RIPE NCC members have requested a<br>resource certificate. Together, they have created statements about BGP<br>routing for over 3,000 prefixes, covering more than five /8 blocks.<br>Currently, this system is only applicable to Provider Aggregatable (PA)<br>address space held by RIPE NCC members.<br><font color="#0f61c8"><br></font>The functionality that we most commonly receive requests for is to make<br>address space held by Provider Independent (PI) End Users eligible for<br>certification. During the RIPE 65 Meeting in Amsterdam, there were<br>discussions on this and the RIPE NCC Executive Board extensively<br>deliberated the issue. Based on these discussions, the Executive Board<br>now submits this proposal for consideration and discussion to you, the<br>RIPE NCC membership and the RIPE community.<br><font color="#0f61c8"><br></font>One of the most important considerations when issuing a resource<br>certificate is that it be given to the legitimate holder of the address<br>space. This is fundamental to the reliability and trustworthiness of the<br>system and to the goal of making our registry as robust as possible.<br><font color="#0f61c8"><br></font>To ensure that the resource certificate retains its authoritative value<br>over time, it is important that the RIPE NCC periodically verifies the<br>association between the resource and its holder. With our members, this<br>is a straightforward process because we have direct contact with them at<br>least once a year.<br><font color="#0f61c8"><br></font>Under current RIPE Policy, PI End Users who are not RIPE NCC members<br>must have a contractual agreement with a sponsoring LIR (as detailed in<br>ripe-452). Periodic verification of the resource holder could be handled<br>by the sponsoring LIR.<br><font color="#0f61c8"><br></font>Also note that the RIPE NCC cannot enter into any contractual agreement<br>with PI End Users, other than the "RIPE NCC Standard Service Agreement"<br>(ripe-435).<br><font color="#0f61c8"><br></font>Therefore, the Executive Board proposes that PI End Users in the RIPE<br>NCC service region who want to certify their resources be given both of<br>the following two options:<br><font color="#0f61c8"><br></font>1. Sign an agreement with their sponsoring LIR (a RIPE NCC member) to<br>have the resources certified by the RIPE NCC via the sponsoring LIR. In<br>this case, the sponsoring LIR would be responsible for periodically<br>verifying that the PI End User is the legitimate holder of the<br>resources. However, the RIPE NCC will in all cases be responsible for<br>issuing the resource certificate and providing access to the RPKI<br>management interface. Therefore, PI End Users should, at all times, be<br>able to change from one sponsoring LIR to another while still retaining<br>the same certificate for the resources that they hold.<br><font color="#0f61c8"><br></font>The cost associated with this option lies in building a framework in the<br>LIR Portal to facilitate the process, some administrative overhead, and<br>the additional burden on the RPKI infrastructure, that would not be<br>funded by the direct beneficiary of the resource certification service.<br>These costs would come out of the general RIPE NCC budget and would<br>therefore be funded by all RIPE NCC members, however it is unlikely that<br>this would have any direct impact on future membership fees.<br><font color="#0f61c8"><br></font>Alternatively a PI End User may choose to:<br><font color="#0f61c8"><br></font>2. Become a RIPE NCC member, pay the full annual membership fee and<br>receive a certificate directly through the RIPE NCC.<br><font color="#0f61c8"><br></font>The Executive Board feels that offering both of these options will<br>result in relatively little impact on membership fees while offering all<br>PI End Users the opportunity to certify their Internet number resources<br>without being forced to become a member of the RIPE NCC.<br><font color="#0f61c8"><br></font>For the sake of completeness, we also present a third scenario discussed<br>by the Executive Board that would involve giving PI End Users that have<br>received resources through a sponsoring LIR the option to deal directly<br>with the RIPE NCC without becoming a RIPE NCC member or needing to make<br>contact with their sponsoring LIR. They could do this by authenticating<br>the relevant INETNUM object using their MNTNER, and supplying additional<br>information directly to the RIPE NCC (company registration papers,<br>business address details, contact email, etc.) on a periodic basis<br>(probably every 12-18 months). This option would not entail any fee or<br>contractual agreement for the PI End User.<br><font color="#0f61c8"><br></font>However the Executive Board does not see this as a viable option, as the<br>amount of resources required to check the necessary supporting<br>documentation and other administrative overheads would be too large a<br>financial burden on the RIPE NCC membership. The lack of a<br>periodically-renewed contractual relationship with the PI End User,<br>while providing them this service, may also cause complications.<br><font color="#0f61c8"><br></font>*IMPORTANT* Your opinions and feedback on this proposal are vital in<br>shaping a resource certification system that best suits your needs. We<br>encourage you to discuss this matter on the RIPE NCC members-discuss<br>mailing list. Following approximately six weeks of discussion (ending on<br>30 March 2013), the Executive Board will consider feedback from the list<br>and propose options on moving forward on this matter which will be<br>properly communicated.<br><font color="#0f61c8"><br></font>Kind regards,<br><font color="#0f61c8"><br></font>Axel Pawlik<br>Managing Director<br>RIPE NCC<br><font color="#0f61c8"><br></font><div><br></div></div><br></body></html>