<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta name="Generator" content="Microsoft Word 15 (filtered medium)"> <style></style> </head> <body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word;-webkit-nbsp-mode: space;line-break:after-white-space"> <div class="WordSection1"> <p class="MsoNormal">I would suggest that you allow multiple CAs to publish to your publication server/repository. This will allow operators to create child CAs in krill (or other CAs) and assign prefixes from the parent CA to these child CAs. The child CAs can then be assigned to various business units within an organization. Each business unit can then be responsible for the generation/maintenance of their own ROAs.<o:p></o:p></p> <p class="MsoNormal">Also, I suggest that the industry standardize on a term used for this service. I am partial to the term “hybrid” which ARIN and others are using. The three options being hosted, delegated, and hybrid. “Publish in Parent” seems like a mouthful. Maybe we can compress it to “PiP”? <span style="font-family:"Apple Color Emoji""> 😊</span><o:p></o:p></p> <p class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">-Rich<o:p></o:p></p> <p class="MsoNormal"><o:p> </o:p></p> <div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in"> <p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">routing-wg <routing-wg-bounces@ripe.net> on behalf of Felipe Victolla Silveira <fvictolla@ripe.net><br> <b>Date: </b>Thursday, September 29, 2022 at 8:15 AM<br> <b>To: </b>"routing-wg@ripe.net" <routing-wg@ripe.net><br> <b>Subject: </b>[EXTERNAL] [routing-wg] Publish in Parent - input requested<o:p></o:p></span></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div style="border:solid #5A5A5A 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt"> <p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:12.0pt;background:#235C70"> <strong><span style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:white">CAUTION:</span></strong><span style="font-size:10.0pt;color:white"> The e-mail below is from an external source. Please exercise caution before opening attachments, clicking links, or following guidance. </span><o:p></o:p></p> </div> <p class="MsoNormal"><span style="color:black">Dear all,<br> <br> As some of you are aware, the RIPE NCC has been working on a new service for RPKI, called Publish in Parent. This service is intended for RPKI users who have chosen to run their own Certificate Authority (delegated RPKI) but don’t want to take the burden of maintaining a highly available publication point. By using this service, it will be possible for our members with delegated RPKI to publish their signed RPKI objects in the RIPE NCC repositories (RRDP and rsync) instead of maintaining their own.<br> <br> Following a discussion with the Executive Board in our meeting last June, we would like to ask our community for input on the requirements for this service. The service was originally designed to allow all objects to be published in our repositories, regardless of whether the associated resources are part of the RIPE NCC or another RIR, and this is how we would like to proceed. However, it has been argued that there should be a restriction in this service so that it allows only RIPE NCC resources to be published and not resources belonging to a different RIR.<br> <br> If you are potential user of this service, what are your expectations for its functionality? Do you want to be able to publish all your objects in RIPE NCC repositories, regardless of whether they are from the RIPE NCC or not? Or will you publish each object in the corresponding RIR repositories? Please note that we are only talking about publication. The objects out of region will be signed with their own parent certificate.<br> <br> If you are a developer of one of the Relying Party softwares, will the presence or absence of such a restriction impact your software package in any way? Do you expect the need to make changes, depending on the direction this takes?<br> <br> To make informed decisions on how we should progress with Publish in Parent, we need input from potential users of the service. Please reply with your feedback until 14 October so we can incorporate it in our planning and inform you about our progress at RIPE 85.<br> <br> Kind regards,</span> <o:p></o:p></p> <div> <p class="MsoNormal"><span style="color:black"><br> <br> </span><o:p></o:p></p> <div> <p class="MsoNormal"><span style="color:black">Felipe Victolla Silveira</span><o:p></o:p></p> </div> <div> <p class="MsoNormal"><span style="color:black">Chief Operations Officer</span><o:p></o:p></p> </div> <div> <p class="MsoNormal"><span style="color:black">RIPE NCC</span><o:p></o:p></p> </div> </div> </div> The contents of this e-mail message and <br>any attachments are intended solely for the <br>addressee(s) and may contain confidential <br>and/or legally privileged information. If you<br>are not the intended recipient of this message<br>or if this message has been addressed to you <br>in error, please immediately alert the sender<br>by reply e-mail and then delete this message <br>and any attachments. If you are not the <br>intended recipient, you are notified that <br>any use, dissemination, distribution, copying,<br>or storage of this message or any attachment <br>is strictly prohibited.</body> </html>