Hi, On Sun, 21 Mar 2021 at 13:48, Hank Nussbacher <hank@interall.co.il> wrote:
Monitoring ROV invalids in other people's networks (validators; routers) is not possible and I doubt it ever will be.
We managed to create "Certificate Transparency" logs where all CAs send their certificates so with a little bit of IETF geekery I am sure an RFC can be designed so that everyone dumps their RPKI drops into some central stream/repository. Yeah I know - I'm dreaming :-)
Logging dropped ROV invalids at the router is not comparable to CT (which is about issuing certificates), but rather HPKP with reporting enabled. However there is no incentive to do this for the folks involved. Browser vendors pushing to enhance WebPKI do that because their business case is tied to that. Router vendors struggle to implement basic RTR support without introducing major operational issues and their business case does not depend on getting it right the first time (actually it is quite the opposite), asking for additional features at this point really is a "dream". There is no direct business case for network operators either. So I would not say this is a realistic endeavour. cheers, lukas