prop-166: Revocation of Persistently Non-functional RPKI Certification Authorities

This proposal suggests providing a mandate to APNIC to revoke RPKI resource certificates associated with longtime non-functional CAs to reduce Relying Party workload.

Job Snijders

1. APNIC’s Understanding of the Proposed Policy

This Proposed Policy would require that APNIC revoke the RPKI certificate for any Self-Hosted Certification Authority(CA) that has not updated their manifest or Certification Revocation List(CRL) for longer than 2 months.

As Months do not have a fixed number of days, APNIC will use 60 days as the threshold rather than 2 months.

Once a Self-Hosted CA has been revoked, it can be recreated through the normal processes as listed in the last paragraph of https://www.apnic.net/community/security/resource-certification/.

It is the Secretariat’s understanding that this will not invalidate a Self-Hosted CA’s RPKI objects and in particular ROAs, as the CRL and Manifest in the publication point of the CA would have expired before the 60 day period has passed.

The Policy Proposal does not target the CA’s of the National Internet Registries (NIR) and is targeting the persistent non-functional CAs.

The Proposed Policy text uses the term “Delegated CA”, which is referred to in the APNIC Certification Practices statement as “Self-Hosted”. These terms are interchangeable and can be updated during the editorial and comment process(APNIC-112)

The Secretariat also notes that there is a similar proposal in RIPE with a proposed 90 day threshold.

2. Impact of Proposed Policy on Registry and Addressing System

No Impact to the Registry and Addressing System

3. Impact of Proposed Policy on APNIC Operation/Services

Due to the low number of Self-Hosted CAs within the APNIC service region, and the unlikely nature of there being a significant number being added the following impacts could be observed:

• Software:
  Update systems to:

  • Monitor Manifests and CRLs published be each Self-Hosted CA at a nominated interval

  • If APNIC is unable to discover and validate a Self-Hosted CA’s current Manifest and CRL for more than 60 days, that Self-Hosted CA will be removed as a child and it’s resource certificate will be revoked by the APNIC Parent CA

  • Before removing the Self-Hosted CA, warning emails will be sent to the known contacts of the Self-Hosted CA.

• Member Services:
  The Secretariat anticipates a slight increase in the number of requests from non-functional CA operators.

4. Legal Impact of Proposed Policy

If this policy proposal is accepted, APNIC will be required to revoke the certificates of certificate holders who chose the Self-Hosted CA setup in instances where their Manifest and/or CRL have not been updated for a period of longer than 60 days.

APNIC will need to update APNIC Certification Practices Statement (CPS) to encompass the Proposed Policy requirements.

APNIC will need update the RPKI Terms and Conditions to encompass the Proposed Policy requirements.

5. Implementation

There is a medium impact on software and legal teams, and if this proposal was to reach consensus, implementation time frame would be approximately 3 months subject to the call for editorial comments period.