Re: ARIN RPKI TAL deployment issues

[John Curran <jcurran () arin net>]

On 26 Sep 2018, at 8:21 AM, Job Snijders <job () ntt net<mailto:job () ntt net>> wrote:

ARIN and APNIC go further by having indemnification by parties using
information in the CA; in ARIN’s case, this requires an explicit act
of acceptance to be legally valid.

Are you sure about APNIC? The APNIC TAL is available here in a plain and
simple format:  https://www.apnic.net/community/security/resource-certification/apnic-rpki-trust-anchor-locator/
no mention of indemnification, restrictions, liability, limitations or
an agreement

Job -

From <https://www.apnic.net/manage-ip/myapnic/digital-certificates/ca-terms-conditions/>

"CA Terms & Conditions

APNIC’s Certification Authority (CA) services are provided under the following terms and conditions:
...
• The recipient of any Digital Certificates issued by the APNIC CA service will indemnify APNIC against any and all 
claims by third parties for damages of any kind arising from the use of that certificate.”

I imagine that folks are not aware of that (just as they are unaware of the indemnification in most RIR service 
agreements) due to absence of any requirement to explicitly acknowledge same.

What makes ARIN's situation unique compared to other PKI systems and
certificate authorities? I only see examples where relying parties are
accomodated in every possible way for access to the root certificates.

The requirement upon relying parties is not unique among RIRs - see above re APNIC.   There is nothing inherent to PKI 
that requires specific terms (e.g. indemnification for damages arising from use), but it should not be surprising that 
the PKI use for routing validation poses the opportunity for very significant damage claims if not done by every 
network operator according to best practices.   In the case of ARIN, this does necessitate indemnification in order to 
reduce risk exposure to the overall RIR mission.

Thanks,
/John

John Curran
President and CEO
ARIN