<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hey, </p>
<div class="moz-cite-prefix">On 23/9/25 12:48 PM, Job Snijders
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CACWOCC-B6BSbMutf_T1HBS=9A_CBr1p+TQY+yXp+YWXg=rfAMQ@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="auto"><span>On Tue, 23 Sep 2025 at 17:41, Carlos
Martinez-Cagnazzo <<a href="mailto:carlos@lacnic.net"
moz-do-not-send="true" class="moz-txt-link-freetext">carlos@lacnic.net</a>>
wrote:</span><br>
</div>
<div dir="auto">
<div class="gmail_quote gmail_quote_container">
<blockquote class="gmail_quote"
style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;border-left-color:rgb(204,204,204)"
dir="auto">Thanks Job,<br>
<br>
I believe there is a sweet spot somewhere. If you run a
really large <br>
org, I believe operationally it make sense to run your own
CA. You may <br>
run into things like the need to run transfers, move space
from one <br>
service to the other and you will feel more at home running
something <br>
you can deeply integrate with your automation platforms.<br>
<br>
If you run a small org, you are definitely better off on
hosted.</blockquote>
<div dir="auto"><br>
</div>
<div dir="auto"><br>
</div>
<div dir="auto">I disagree with some of what you say, having
worked for several large orgs, I contend that
the RIR-provided APIs work just as fine as poking APIs of an
internal CA; RIR probably better.</div>
</div>
</div>
</blockquote>
<p>There is a risk-management side of things that we cannot ignore.
But I disgress.</p>
<p>I think this is one point where we can agree to disagree :-)</p>
<blockquote type="cite"
cite="mid:CACWOCC-B6BSbMutf_T1HBS=9A_CBr1p+TQY+yXp+YWXg=rfAMQ@mail.gmail.com">
<div dir="auto">
<div class="gmail_quote gmail_quote_container">
<div dir="auto"><br>
</div>
<div dir="auto">The observable experience with “a really large
org running their own CA”, so far has only demonstrated that
the large org repeated all the mistakes that the RIRs made
in the beginning.</div>
<div dir="auto"><br>
</div>
<div dir="auto">“Large” just doesn’t equate “good execution”.</div>
<div dir="auto"><br>
</div>
</div>
</div>
</blockquote>
<p>IMO that's a separate discussion. I agree with you, but I believe
that should be taken care "out of band" if you will. Be it
policies, MANRS or whatnot. </p>
<p>One thing I believe we would all benefit from is some form of
"RPKI Etiquette" that of course involves proper running delegated
CAs.</p>
<blockquote type="cite"
cite="mid:CACWOCC-B6BSbMutf_T1HBS=9A_CBr1p+TQY+yXp+YWXg=rfAMQ@mail.gmail.com">
<div dir="auto">
<div class="gmail_quote gmail_quote_container">
<div dir="auto">Kind regards,</div>
<div dir="auto"><br>
</div>
<div dir="auto">Job</div>
</div>
</div>
</blockquote>
/Carlos
<blockquote type="cite"
cite="mid:CACWOCC-B6BSbMutf_T1HBS=9A_CBr1p+TQY+yXp+YWXg=rfAMQ@mail.gmail.com">
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre wrap="" class="moz-quote-pre">_______________________________________________
LACNOG mailing list
<a class="moz-txt-link-abbreviated" href="mailto:LACNOG@lacnic.net">LACNOG@lacnic.net</a>
<a class="moz-txt-link-freetext" href="https://mail.lacnic.net/mailman/listinfo/lacnog">https://mail.lacnic.net/mailman/listinfo/lacnog</a>
Cancelar suscripcion: <a class="moz-txt-link-freetext" href="https://mail.lacnic.net/mailman/options/lacnog">https://mail.lacnic.net/mailman/options/lacnog</a>
</pre>
</blockquote>
</body>
</html>