Hi Nigel & Randy,
On Wed, 2011-05-04 at 16:02 +0200, Randy Bush wrote:
If the community (as evidenced by this WG) tells the RIPE NCC not to implement this (or more precisely to withdraw the service they are already offering) then we simply open the way for private certification companies in the RIPE region.
in which case, i would prefer to arrange a pro-bono one.
So would I. But I can imagine going to my boss and saying "there are two alternatives for securing my address space: a pro-bono, best effort thing run by Randy or a professional one run on a commercial basis by Mega-Certicates Plc. Which would you like me to use?
And why would that be better than having a not-for-profit org like RIPE NCC that we are all a part of as a member, already doing this ? It's not that RIPE NCC is owned by a government or that ROA's or certificates are something that the Dutch government could seize or that an evil government would/could do so (under Dutch law), in order to shutdown the internet or an ISP.. There are far better (more effective) ways of doing so, if you remember what happened in Egypt / Libya etc.. Power down datacenter (y/n) ... Last time I checked, the NCC is operating on behalf of all of us. There are tools to be released in a couple weeks (according to the preso from Alex this afternoon.) that will allow you to run your own CA. If I would speak for myself, I would not trust any random company doing this, except the RIR's and I'm not planning to run my own CA due to the hassle. Until proven otherwise I don't have a reason to think that RIPE NCC isn't capable of providing this service. I'm not saying that you shouldn't run your own setup if you like, but what I am saying is that I don't like that you are trying to stop a working platform that is already working for me and hundreds of LIR's who have been using the system already since Jan 2011. I'm all pro-choice and that also means that I don't like it if someone is taking my choice away ... Erik Bais