nanog mailing list archives
Re: ARIN RPKI TAL deployment issues
From: John Curran <jcurran () arin net>
Date: Wed, 26 Sep 2018 12:56:26 +0000
On 26 Sep 2018, at 8:21 AM, Job Snijders <job () ntt net<mailto:job () ntt net>> wrote: ARIN and APNIC go further by having indemnification by parties using information in the CA; in ARIN’s case, this requires an explicit act of acceptance to be legally valid. Are you sure about APNIC? The APNIC TAL is available here in a plain and simple format: https://www.apnic.net/community/security/resource-certification/apnic-rpki-trust-anchor-locator/ no mention of indemnification, restrictions, liability, limitations or an agreement Job - From <https://www.apnic.net/manage-ip/myapnic/digital-certificates/ca-terms-conditions/> "CA Terms & Conditions APNIC’s Certification Authority (CA) services are provided under the following terms and conditions: ... • The recipient of any Digital Certificates issued by the APNIC CA service will indemnify APNIC against any and all claims by third parties for damages of any kind arising from the use of that certificate.” I imagine that folks are not aware of that (just as they are unaware of the indemnification in most RIR service agreements) due to absence of any requirement to explicitly acknowledge same. What makes ARIN's situation unique compared to other PKI systems and certificate authorities? I only see examples where relying parties are accomodated in every possible way for access to the root certificates. The requirement upon relying parties is not unique among RIRs - see above re APNIC. There is nothing inherent to PKI that requires specific terms (e.g. indemnification for damages arising from use), but it should not be surprising that the PKI use for routing validation poses the opportunity for very significant damage claims if not done by every network operator according to best practices. In the case of ARIN, this does necessitate indemnification in order to reduce risk exposure to the overall RIR mission. Thanks, /John John Curran President and CEO ARIN
Current thread:
- Re: ARIN RPKI TAL deployment issues, (continued)
- Re: ARIN RPKI TAL deployment issues Christopher Morrow (Sep 25)
- Re: ARIN RPKI TAL deployment issues John Curran (Sep 26)
- Re: ARIN RPKI TAL deployment issues Jared Mauch (Sep 26)
- Re: ARIN RPKI TAL deployment issues John Curran (Sep 26)
- Re: ARIN RPKI TAL deployment issues Jared Mauch (Sep 26)
- Re: ARIN RPKI TAL deployment issues John Curran (Sep 26)
- Re: ARIN RPKI TAL deployment issues Claudio Jeker (Sep 26)
- Re: ARIN RPKI TAL deployment issues Tony Finch (Sep 26)
- Re: ARIN RPKI TAL deployment issues John Curran (Sep 26)
- Re: ARIN RPKI TAL deployment issues Job Snijders (Sep 26)
- Re: ARIN RPKI TAL deployment issues John Curran (Sep 26)
- Re: ARIN RPKI TAL deployment issues Tony Finch (Sep 26)
- Re: ARIN RPKI TAL deployment issues John Curran (Sep 26)
- Re: ARIN RPKI TAL deployment issues Baldur Norddahl (Sep 26)
- Re: ARIN RPKI TAL deployment issues John Curran (Sep 26)
- Re: ARIN RPKI TAL deployment issues Christopher Morrow (Sep 26)
- Re: ARIN RPKI TAL deployment issues Benson Schliesser via NANOG (Sep 26)
- Re: ARIN RPKI TAL deployment issues John Curran (Sep 26)