Well, if you use a ROA as your only signed object, then yes. But really I was hinting at RTA or RSC: use the mechanism to countersign an instruction to RADB or any other IRR specifically about the RPSL you want to eject. Not "because ROA do this" but "do this specific thing I command because I control the assets" G On Sat, 13 Nov 2021, 11:18 am Rubens Kuhl, <rubensk@gmail.com> wrote:
On Fri, Nov 12, 2021 at 9:56 PM George Michaelson <ggm@algebras.org> wrote:
Wouldn't it be cool if we had a cryptographic mechanism to sign an authority to the IRR publisher to eject old data.
Some way you could prove you have control of the asset, and the let the RADB people know you repudiated some old data, made under somebody else's authority which you can't remove directly, even though it's probably stale.
Something like a PKI tagged with your addresses and/or ASN.
That only helps with wrong origin IRR records. While this is the case at hand, a lot of proxy objects have correct origin attributes, and are just managed by the wrong person.
That said, TC IRR is currently using RPKI validation and the curious result is that most RPKI-triggered removals are objects sent by the own AS, but with a more specific prefix that what's published in RPKI.
Rubens