Mikael, On Thu, May 5, 2011 at 4:21 AM, Mikael Abrahamsson <swmike@swm.pp.se> wrote:
On Thu, 5 May 2011, Florian Weimer wrote:
But why would this be a bad thing, as long as the required legal process is followed?
The problem here is that all of a sudden dutch courts might have direct operational influence in all of the RIPE region.
So basically it might make sense to bake a safety-valve into the system so that it's fairly easy to replace RIPE with something else in case meddling starts to happen. In DNS, one can choose not to use a US based domain name or registrar to avoid what's going on in DNS there, what would the similar action be in case the dutch legal system starts doing things we don't agree with, without turning off RPKI totally?
While I appreciate the idea of safety-valves and a sort of reactive safety process, is it not inherently better to implement them from the beginning? Ie, your idea about placing multiple trust anchors in multiple jurisdictions from the beginning. But you still have not solved the core of the problem in this way:
From where will they get their prefix information?
Since you're not suggesting any modifications to the current internet numbers role of the RIPE NCC, the information is going to be sourced from RIPE's DB somehow, anyway. Do you suggest independent and open review of all changes of data before installation in the 2nd-tier trust anchors? Essentially a human-involving process will absolutely be required before a revocation, or change to $FOO, of a resource and its resource certificate will be allowed to spread from the source (RIPE's DB) to its 2nd-tier trust anchors. Who will vote on whether a change is OK or not? A pretty decent amount of persons will have to be involved to guard well against abuse (think EU/EC/EG court decisions / laws.) You must assume from the start that the legal process at the source is flawed -- how do you protect the mirrors from abuse? And if the legal process at the source is broken, how do you move the source IRR information away from it? Or, are you suggesting multiple independent IRRs covering the same data, where a user now has to keep individual and separate communications with each and one of them to update the IRR data, negotiate change of ownership of a resource, etc. I do appreciate a very useful discussion on this topic and seeking constructive solutions to the concerns outlined. And for the record I prefer making it completely pointless for someone to even consider sending black helicopters (this can be done), than to consider how to best protect oneself from them. :) Note well that my voting / change process questions raised above apply equally well whether there is only one IRR and one trust-anchor at RIPE NCC, or multiple 2nd-tier ones. Kind Regards, Martin