nanog mailing list archives
Re: ARIN RPKI TAL deployment issues
From: Job Snijders <job () ntt net>
Date: Wed, 26 Sep 2018 12:21:09 +0000
On Wed, Sep 26, 2018 at 11:07:49AM +0000, John Curran wrote:
Let's Encrypt does not require an agreement from relying parties (i.e. browser users), whereas ARIN does.That is correct; I did not say that they were parallel situations, only pointing out that the Let’s Encrypt folks also go beyond simply providing services “as is”, and require indemnification from those engaging their CA services, just as ARIN, RIPE, APNIC do…
Indeed, you can download the Let's Encrypt CA here: https://letsencrypt.org/certificates/ no mention of indemnification, restrictions, liability, limitations or an agreement.
ARIN and APNIC go further by having indemnification by parties using information in the CA; in ARIN’s case, this requires an explicit act of acceptance to be legally valid.
Are you sure about APNIC? The APNIC TAL is available here in a plain and simple format: https://www.apnic.net/community/security/resource-certification/apnic-rpki-trust-anchor-locator/ no mention of indemnification, restrictions, liability, limitations or an agreement If we take a look at other important PKI root certificates: https://www.geotrust.com/resources/root-certificates/ quote: "There is no charge for use under these terms and You are not required to sign the agreement to make use of the Root Certificates." https://www.iana.org/dnssec/files *all* of DNSSEC depends on this one, no mention of indemnification, restrictions, liability, limitations or an agreement https://support.comodo.com/index.php?/Knowledgebase/List/Index/71 no mention of indemnification, restrictions, liability, limitations or an agreement https://support.globalsign.com/customer/en/portal/articles/1426602-globalsign-root-certificates no mention of indemnification, restrictions, liability, limitations or an agreement The list goes on and on... What makes ARIN's situation unique compared to other PKI systems and certificate authorities? I only see examples where relying parties are accomodated in every possible way for access to the root certificates. Shouldn't the indemnification be just between ARIN and the resource holder? Is there really a necessity to have relying parties agree to anything? Kind regards, Job
Current thread:
- Re: ARIN RPKI TAL deployment issues, (continued)
- Re: ARIN RPKI TAL deployment issues John Curran (Sep 25)
- Re: ARIN RPKI TAL deployment issues Christopher Morrow (Sep 25)
- Re: ARIN RPKI TAL deployment issues John Curran (Sep 26)
- Re: ARIN RPKI TAL deployment issues Jared Mauch (Sep 26)
- Re: ARIN RPKI TAL deployment issues John Curran (Sep 26)
- Re: ARIN RPKI TAL deployment issues Jared Mauch (Sep 26)
- Re: ARIN RPKI TAL deployment issues John Curran (Sep 26)
- Re: ARIN RPKI TAL deployment issues Claudio Jeker (Sep 26)
- Re: ARIN RPKI TAL deployment issues Tony Finch (Sep 26)
- Re: ARIN RPKI TAL deployment issues John Curran (Sep 26)
- Re: ARIN RPKI TAL deployment issues Job Snijders (Sep 26)
- Re: ARIN RPKI TAL deployment issues John Curran (Sep 26)
- Re: ARIN RPKI TAL deployment issues Tony Finch (Sep 26)
- Re: ARIN RPKI TAL deployment issues John Curran (Sep 26)
- Re: ARIN RPKI TAL deployment issues Baldur Norddahl (Sep 26)
- Re: ARIN RPKI TAL deployment issues John Curran (Sep 26)
- Re: ARIN RPKI TAL deployment issues Christopher Morrow (Sep 26)
- Re: ARIN RPKI TAL deployment issues Benson Schliesser via NANOG (Sep 26)
- Re: ARIN RPKI TAL deployment issues John Curran (Sep 26)