[arin-tech-discuss] RPKI Hosted Certificate expiry

Andrew Gallo akg1330 at gmail.com
Thu Nov 2 08:13:29 EDT 2017 

This is what I was thinking.


There would need to be an overlap otherwise there could potentially be a 
disruption.

I guess a couple of questions on exactly how the process would work-

Would ARIN require the org to re-request hosted access with a new key 
pair (the key to sign the ROA requests)? - ideally, no. A new resource 
certificate should be generated (assuming the org was in good standing)

During the overlap period, would the org be asked which hosted resource 
certificate to use? - I don't see a value in that.  If more than one 
resource certificate exists, use the one with the longest validity period.

Would there be a notification of the hosted resource certificate 
expiring? Ideally, yes.  This raises the question about notification of 
expiration of individual ROAs, which may be a different discussion.


Thank you.



On 11/2/2017 1:23 AM, Owen DeLong wrote:
> IMHO I should be able to create a new certificate up to 1 year prior to expiration of the old one and during the overlap period, ROAs signed using either certificate should validate.
>
> Owen
>
>
>> On Nov 1, 2017, at 19:12, Mark Kosters <markk at arin.net> wrote:
>>
>> Hi Andrew
>>
>> That was a good question – one that merited a bit of research on our part. Here’s what we have.
>>
>> Yes, ROAs can not be created with dates past the expiration of the hosted certificate.
>>
>> As for what to do when the time approaches where the hosted cert needs to be renewed, we are wondering what you (and others) would prefer as a way going forward?
>>
>> Thanks,
>> Mark
>>
>> On 10/23/17, 9:48 AM, "arin-tech-discuss on behalf of Andrew Gallo" <arin-tech-discuss-bounces at arin.net on behalf of akg1330 at gmail.com> wrote:
>>
>>     Greetings:
>>
>>     A question came up at an Internet2 meeting concerning hosted RPKI.
>>     Specifically- what happens at the expiration of the Hosted Certificate?
>>
>>     I see that the hosted certificate has a 10-year validity period, and
>>     ROAs can not be created with dates past the expiration of the Hosted
>>     Certificate.
>>
>>     When the expiration of this certificate is approaching, what is the
>>     procedure?  Do we need to re-request Hosted Access? Regenerate ROAs?
>>     Will there be an overlap period where both the expiring and new
>>     certificates & ROAs will both be valid (to avoid any gaps in coverage)?
>>
>>     Thank you.
>>
>>     _______________________________________________
>>     arin-tech-discuss mailing list
>>     arin-tech-discuss at arin.net
>>     http://lists.arin.net/mailman/listinfo/arin-tech-discuss
>>
>>
>> _______________________________________________
>> arin-tech-discuss mailing list
>> arin-tech-discuss at arin.net
>> http://lists.arin.net/mailman/listinfo/arin-tech-discuss
>

More information about the arin-tech-discuss mailing list