ARIN RPKI TAL deployment issues

Job Snijders job at ntt.net
Wed Sep 26 12:21:09 UTC 2018


On Wed, Sep 26, 2018 at 11:07:49AM +0000, John Curran wrote:
> > Let's Encrypt does not require an agreement from relying parties
> > (i.e.  browser users), whereas ARIN does.
> 
> That is correct; I did not say that they were parallel situations,
> only pointing out that the Let’s Encrypt folks also go beyond simply
> providing services “as is”, and require indemnification from those
> engaging their CA services, just as ARIN, RIPE, APNIC do…  

Indeed, you can download the Let's Encrypt CA here:
https://letsencrypt.org/certificates/ no mention of indemnification,
restrictions, liability, limitations or an agreement.

> ARIN and APNIC go further by having indemnification by parties using
> information in the CA; in ARIN’s case, this requires an explicit act
> of acceptance to be legally valid.

Are you sure about APNIC? The APNIC TAL is available here in a plain and
simple format:  https://www.apnic.net/community/security/resource-certification/apnic-rpki-trust-anchor-locator/
no mention of indemnification, restrictions, liability, limitations or
an agreement

If we take a look at other important PKI root certificates:

https://www.geotrust.com/resources/root-certificates/
    quote: "There is no charge for use under these terms and You are not
    required to sign the agreement to make use of the Root
    Certificates."

https://www.iana.org/dnssec/files
    *all* of DNSSEC depends on this one, no mention of indemnification,
    restrictions, liability, limitations or an agreement

https://support.comodo.com/index.php?/Knowledgebase/List/Index/71
    no mention of indemnification, restrictions, liability, limitations
    or an agreement

https://support.globalsign.com/customer/en/portal/articles/1426602-globalsign-root-certificates
    no mention of indemnification, restrictions, liability, limitations
    or an agreement

The list goes on and on...

What makes ARIN's situation unique compared to other PKI systems and
certificate authorities? I only see examples where relying parties are
accomodated in every possible way for access to the root certificates.

Shouldn't the indemnification be just between ARIN and the resource
holder? Is there really a necessity to have relying parties agree to
anything?

Kind regards,

Job


More information about the NANOG mailing list