ARIN RPKI TAL deployment issues
jcurran at arin.net
Wed Sep 26 12:56:26 UTC 2018
On 26 Sep 2018, at 8:21 AM, Job Snijders <job at ntt.net<mailto:job at ntt.net>> wrote:
ARIN and APNIC go further by having indemnification by parties using
information in the CA; in ARIN’s case, this requires an explicit act
of acceptance to be legally valid.
Are you sure about APNIC? The APNIC TAL is available here in a plain and
simple format: https://www.apnic.net/community/security/resource-certification/apnic-rpki-trust-anchor-locator/
no mention of indemnification, restrictions, liability, limitations or
"CA Terms & Conditions
APNIC’s Certification Authority (CA) services are provided under the following terms and conditions:
• The recipient of any Digital Certificates issued by the APNIC CA service will indemnify APNIC against any and all claims by third parties for damages of any kind arising from the use of that certificate.”
I imagine that folks are not aware of that (just as they are unaware of the indemnification in most RIR service agreements) due to absence of any requirement to explicitly acknowledge same.
What makes ARIN's situation unique compared to other PKI systems and
certificate authorities? I only see examples where relying parties are
accomodated in every possible way for access to the root certificates.
The requirement upon relying parties is not unique among RIRs - see above re APNIC. There is nothing inherent to PKI that requires specific terms (e.g. indemnification for damages arising from use), but it should not be surprising that the PKI use for routing validation poses the opportunity for very significant damage claims if not done by every network operator according to best practices. In the case of ARIN, this does necessitate indemnification in order to reduce risk exposure to the overall RIR mission.
President and CEO
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the NANOG