Hi Erik,

Publish in Parent does require its users to have a valid RPKI certificate for a delegated CA in order to be able to publish objects in it. That could either be a member, a PI holder (with a sponsoring LIR) or legacy holders with a contract relationship. A user can also create other publication points, for example for CAs of business units, or a (grand)child CA.

In other words, in order to use the system, you either have to have a contract relationship with the RIPE NCC, be associated with a sponsoring LIR or have access delegated to you from one of these.

Allowing SSO accounts without one of the above conditions would open the door to abuse, as it would be difficult, if not impossible, to track down users abusing the system.

I hope that clarifies your queries, otherwise I am happy to elaborate further.

Kind regards,
Felipe


On 6 Oct 2022, at 14:56, Erik Bais <ebais@a2b-internet.com> wrote:

HI Felipe, 
 
Could you provide some insight on how the authorization for the PiP system is envisioned ? 
 
We have been discussing that the PiP implementation is planned for RIPE members, which to my view would mean that PiP is only available for LIR’s in good standing. 
That would also mean that if you are not an LIR anymore, that you lose the ability to upload objects ( correct ? )
 
Or .. is the authorization linked to a RIPE NCC SSO account, ( which is free…) and it will also be available for RIPE PI space holders or legacy space holders ..
 
I would say that it would be better for the community to have the authorization for this with a free to setup NCC SSO account, as those don’t need to be linked to a LIR .. and it will allow for less issues if the LIR closes for some reason . . .
 
I would also think that if someone would like to use the publication point, it should have something to do with some RIPE resource …
 
Looking forward to your reply, 
 
Regards,
Erik Bais 
 
From: routing-wg <routing-wg-bounces@ripe.net> on behalf of Felipe Victolla Silveira <fvictolla@ripe.net>
Date: Thursday, 29 September 2022 at 16:15
To: "routing-wg@ripe.net" <routing-wg@ripe.net>
Subject: [routing-wg] Publish in Parent - input requested
 
Dear all,

As some of you are aware, the RIPE NCC has been working on a new service for RPKI, called Publish in Parent. This service is intended for RPKI users who have chosen to run their own Certificate Authority (delegated RPKI) but don’t want to take the burden of maintaining a highly available publication point. By using this service, it will be possible for our members with delegated RPKI to publish their signed RPKI objects in the RIPE NCC repositories (RRDP and rsync) instead of maintaining their own.

Following a discussion with the Executive Board in our meeting last June, we would like to ask our community for input on the requirements for this service. The service was originally designed to allow all objects to be published in our repositories, regardless of whether the associated resources are part of the RIPE NCC or another RIR, and this is how we would like to proceed. However, it has been argued that there should be a restriction in this service so that it allows only RIPE NCC resources to be published and not resources belonging to a different RIR.

If you are potential user of this service, what are your expectations for its functionality? Do you want to be able to publish all your objects in RIPE NCC repositories, regardless of whether they are from the RIPE NCC or not? Or will you publish each object in the corresponding RIR repositories? Please note that we are only talking about publication. The objects out of region will be signed with their own parent certificate.

If you are a developer of one of the Relying Party softwares, will the presence or absence of such a restriction impact your software package in any way? Do you expect the need to make changes, depending on the direction this takes?

To make informed decisions on how we should progress with Publish in Parent, we need input from potential users of the service. Please reply with your feedback until 14 October so we can incorporate it in our planning and inform you about our progress at RIPE 85.

Kind regards,


Felipe Victolla Silveira
Chief Operations Officer
RIPE NCC