From markk at arin.net  Wed Nov  1 11:12:48 2017
From: markk at arin.net (Mark Kosters)
Date: Wed, 1 Nov 2017 15:12:48 +0000
Subject: [arin-tech-discuss] RPKI Hosted Certificate expiry
In-Reply-To: <fb236c0f-6602-6f43-1501-297e3462edda@gmail.com>
References: <fb236c0f-6602-6f43-1501-297e3462edda@gmail.com>
Message-ID: <70B79AFE-D344-4839-9377-1554293186F0@arin.net>

Hi Andrew

That was a good question ? one that merited a bit of research on our part. Here?s what we have.

Yes, ROAs can not be created with dates past the expiration of the hosted certificate. 

As for what to do when the time approaches where the hosted cert needs to be renewed, we are wondering what you (and others) would prefer as a way going forward?

Thanks,
Mark

On 10/23/17, 9:48 AM, "arin-tech-discuss on behalf of Andrew Gallo" <arin-tech-discuss-bounces at arin.net on behalf of akg1330 at gmail.com> wrote:

    Greetings:
    
    A question came up at an Internet2 meeting concerning hosted RPKI.  
    Specifically- what happens at the expiration of the Hosted Certificate?
    
    I see that the hosted certificate has a 10-year validity period, and 
    ROAs can not be created with dates past the expiration of the Hosted 
    Certificate.
    
    When the expiration of this certificate is approaching, what is the 
    procedure?  Do we need to re-request Hosted Access? Regenerate ROAs?  
    Will there be an overlap period where both the expiring and new 
    certificates & ROAs will both be valid (to avoid any gaps in coverage)?
    
    Thank you.
    
    _______________________________________________
    arin-tech-discuss mailing list
    arin-tech-discuss at arin.net
    http://lists.arin.net/mailman/listinfo/arin-tech-discuss
    


From mysidia at gmail.com  Wed Nov  1 11:26:19 2017
From: mysidia at gmail.com (Jimmy Hess)
Date: Wed, 1 Nov 2017 10:26:19 -0500
Subject: [arin-tech-discuss] RPKI Hosted Certificate expiry
In-Reply-To: <70B79AFE-D344-4839-9377-1554293186F0@arin.net>
References: <fb236c0f-6602-6f43-1501-297e3462edda@gmail.com>
 <70B79AFE-D344-4839-9377-1554293186F0@arin.net>
Message-ID: <CAAAwwbV93wam2mkJBDiDmWb3Z3HaVM9AH7KtHEgz=i0pPb86rg@mail.gmail.com>

On Wed, Nov 1, 2017 at 10:12 AM, Mark Kosters <markk at arin.net> wrote:

> Hi Andrew
>
> That was a good question ? one that merited a bit of research on our part.
> Here?s what we have.
>
> Yes, ROAs can not be created with dates past the expiration of the hosted
> certificate.

[snip]

Arbitrary certificate churning or expiration based on time of  credentials
that have not been compromised
and the associated maintenance cost is a good reason to avoid  adopting
RPKI in the first place.

Is there any adequate justification   they don't simply  use  an arbitrary
value of 100,  200 Years or Infinite
expiration period, for all the certs,   in place of the   arbitrary value
of 10?

So unless keys need to be manually revoked for valid security reasons,
there should be no
unnecessary certificate churn.

Also,  if you want the ROAs to be good for a reasonable length of time,
then that implies you'll need
a renewal of the hosted cert every year  you make new ROAs.    E.g.  To
make ROAs valid for  9+ years,
then   you're   also then  needing to renew   the hosted cert every year
 to keep its expiration a
sufficient number of years ahead into the future.


--
-Jimmy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-tech-discuss/attachments/20171101/52b38765/attachment.html>

From owen at delong.com  Thu Nov  2 01:23:45 2017
From: owen at delong.com (Owen DeLong)
Date: Thu, 2 Nov 2017 09:23:45 +0400
Subject: [arin-tech-discuss] RPKI Hosted Certificate expiry
In-Reply-To: <70B79AFE-D344-4839-9377-1554293186F0@arin.net>
References: <fb236c0f-6602-6f43-1501-297e3462edda@gmail.com>
 <70B79AFE-D344-4839-9377-1554293186F0@arin.net>
Message-ID: <EB376E25-F588-4D6E-8B1F-F1B0F5BD791B@delong.com>

IMHO I should be able to create a new certificate up to 1 year prior to expiration of the old one and during the overlap period, ROAs signed using either certificate should validate. 

Owen


> On Nov 1, 2017, at 19:12, Mark Kosters <markk at arin.net> wrote:
> 
> Hi Andrew
> 
> That was a good question ? one that merited a bit of research on our part. Here?s what we have.
> 
> Yes, ROAs can not be created with dates past the expiration of the hosted certificate. 
> 
> As for what to do when the time approaches where the hosted cert needs to be renewed, we are wondering what you (and others) would prefer as a way going forward?
> 
> Thanks,
> Mark
> 
> On 10/23/17, 9:48 AM, "arin-tech-discuss on behalf of Andrew Gallo" <arin-tech-discuss-bounces at arin.net on behalf of akg1330 at gmail.com> wrote:
> 
>    Greetings:
> 
>    A question came up at an Internet2 meeting concerning hosted RPKI.  
>    Specifically- what happens at the expiration of the Hosted Certificate?
> 
>    I see that the hosted certificate has a 10-year validity period, and 
>    ROAs can not be created with dates past the expiration of the Hosted 
>    Certificate.
> 
>    When the expiration of this certificate is approaching, what is the 
>    procedure?  Do we need to re-request Hosted Access? Regenerate ROAs?  
>    Will there be an overlap period where both the expiring and new 
>    certificates & ROAs will both be valid (to avoid any gaps in coverage)?
> 
>    Thank you.
> 
>    _______________________________________________
>    arin-tech-discuss mailing list
>    arin-tech-discuss at arin.net
>    http://lists.arin.net/mailman/listinfo/arin-tech-discuss
> 
> 
> _______________________________________________
> arin-tech-discuss mailing list
> arin-tech-discuss at arin.net
> http://lists.arin.net/mailman/listinfo/arin-tech-discuss



From akg1330 at gmail.com  Thu Nov  2 08:13:29 2017
From: akg1330 at gmail.com (Andrew Gallo)
Date: Thu, 2 Nov 2017 08:13:29 -0400
Subject: [arin-tech-discuss] RPKI Hosted Certificate expiry
In-Reply-To: <EB376E25-F588-4D6E-8B1F-F1B0F5BD791B@delong.com>
References: <fb236c0f-6602-6f43-1501-297e3462edda@gmail.com>
 <70B79AFE-D344-4839-9377-1554293186F0@arin.net>
 <EB376E25-F588-4D6E-8B1F-F1B0F5BD791B@delong.com>
Message-ID: <11c6033e-63d7-5f64-1b72-9c0a1af8d027@gmail.com>

This is what I was thinking.


There would need to be an overlap otherwise there could potentially be a 
disruption.

I guess a couple of questions on exactly how the process would work-

Would ARIN require the org to re-request hosted access with a new key 
pair (the key to sign the ROA requests)? - ideally, no. A new resource 
certificate should be generated (assuming the org was in good standing)

During the overlap period, would the org be asked which hosted resource 
certificate to use? - I don't see a value in that.? If more than one 
resource certificate exists, use the one with the longest validity period.

Would there be a notification of the hosted resource certificate 
expiring? Ideally, yes.? This raises the question about notification of 
expiration of individual ROAs, which may be a different discussion.


Thank you.



On 11/2/2017 1:23 AM, Owen DeLong wrote:
> IMHO I should be able to create a new certificate up to 1 year prior to expiration of the old one and during the overlap period, ROAs signed using either certificate should validate.
>
> Owen
>
>
>> On Nov 1, 2017, at 19:12, Mark Kosters <markk at arin.net> wrote:
>>
>> Hi Andrew
>>
>> That was a good question ? one that merited a bit of research on our part. Here?s what we have.
>>
>> Yes, ROAs can not be created with dates past the expiration of the hosted certificate.
>>
>> As for what to do when the time approaches where the hosted cert needs to be renewed, we are wondering what you (and others) would prefer as a way going forward?
>>
>> Thanks,
>> Mark
>>
>> On 10/23/17, 9:48 AM, "arin-tech-discuss on behalf of Andrew Gallo" <arin-tech-discuss-bounces at arin.net on behalf of akg1330 at gmail.com> wrote:
>>
>>     Greetings:
>>
>>     A question came up at an Internet2 meeting concerning hosted RPKI.
>>     Specifically- what happens at the expiration of the Hosted Certificate?
>>
>>     I see that the hosted certificate has a 10-year validity period, and
>>     ROAs can not be created with dates past the expiration of the Hosted
>>     Certificate.
>>
>>     When the expiration of this certificate is approaching, what is the
>>     procedure?  Do we need to re-request Hosted Access? Regenerate ROAs?
>>     Will there be an overlap period where both the expiring and new
>>     certificates & ROAs will both be valid (to avoid any gaps in coverage)?
>>
>>     Thank you.
>>
>>     _______________________________________________
>>     arin-tech-discuss mailing list
>>     arin-tech-discuss at arin.net
>>     http://lists.arin.net/mailman/listinfo/arin-tech-discuss
>>
>>
>> _______________________________________________
>> arin-tech-discuss mailing list
>> arin-tech-discuss at arin.net
>> http://lists.arin.net/mailman/listinfo/arin-tech-discuss
>



From mcrossin at arin.net  Mon Nov  6 11:35:09 2017
From: mcrossin at arin.net (Michael Crossin)
Date: Mon, 6 Nov 2017 16:35:09 +0000
Subject: [arin-tech-discuss] November OT&E Refresh
Message-ID: <463F6B99-9ABA-490C-AA92-416A5297E6E8@arin.net>

List,

This message serves as a notification that the Operational Testing and Evaluation environment will soon begin its monthly maintenance for a code and data refresh today.

Scheduled Work:
The OT&E whois and other application servers will now update to code matching production versions with refreshed database data.
Querying whois.ote.arin.net will not respond until this maintenance has completed.

Expected Duration:
6 hours

Updates:
Following the scheduled maintenance there will be a follow up message indicating completion.

Thanks,

Mike Crossin
Database Systems Administrator
American Registry for Internet Numbers

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-tech-discuss/attachments/20171106/d6346230/attachment.html>

From mcrossin at arin.net  Mon Nov  6 17:38:49 2017
From: mcrossin at arin.net (Michael Crossin)
Date: Mon, 6 Nov 2017 22:38:49 +0000
Subject: [arin-tech-discuss] November OT&E Refresh - Complete
Message-ID: <8259B2A1-CE2D-477C-8186-562DD491CB1B@arin.net>

List,

The refresh of the Operational Testing and Evaluation environment was completed within the outlined maintenance window.

All systems within this environment should be accessible to you now if you have requested access to it. If you have requested access previously, there is no need to re-request.

If you experience any issues in using the OT&E environment or notice anything erroneous, please reach out to us.

Thanks,

Mike Crossin
Database Systems Administrator
American Registry for Internet Numbers


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-tech-discuss/attachments/20171106/f6739edc/attachment.html>

From pete at arin.net  Wed Nov 29 15:44:27 2017
From: pete at arin.net (Pete Toscano)
Date: Wed, 29 Nov 2017 20:44:27 +0000
Subject: [arin-tech-discuss] Status of December and January OT&E Refreshes
Message-ID: <CB595616-A76E-4F05-8CF2-9B06B2060BD7@arin.net>

Hi Everyone.

The December OT&E refresh will be pushed back two weeks to 18 December. The refresh, when it happens, will also include a software update.

The January OT&E refresh will be pushed back one day to 2 January, due to the New Year holiday.

Regards,
Pete Toscano
Network Operations Manager
ARIN

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 235 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.arin.net/pipermail/arin-tech-discuss/attachments/20171129/acced25e/attachment.sig>