[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ARIN RPKI TAL deployment issues

Subject: ARIN RPKI TAL deployment issues
From: job at ntt.net (Job Snijders)
Date: Wed, 26 Sep 2018 12:21:09 +0000
In-reply-to: <[email protected]>
References: <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <CA[email protected]> <[email protected]> <[email protected]> <[email protected]>

On Wed, Sep 26, 2018 at 11:07:49AM +0000, John Curran wrote:
> > Let's Encrypt does not require an agreement from relying parties
> > (i.e.  browser users), whereas ARIN does.
> 
> That is correct; I did not say that they were parallel situations,
> only pointing out that the Letâ??s Encrypt folks also go beyond simply
> providing services â??as isâ??, and require indemnification from those
> engaging their CA services, just as ARIN, RIPE, APNIC doâ?¦  

Indeed, you can download the Let's Encrypt CA here:
https://letsencrypt.org/certificates/ no mention of indemnification,
restrictions, liability, limitations or an agreement.

> ARIN and APNIC go further by having indemnification by parties using
> information in the CA; in ARINâ??s case, this requires an explicit act
> of acceptance to be legally valid.

Are you sure about APNIC? The APNIC TAL is available here in a plain and
simple format:  https://www.apnic.net/community/security/resource-certification/apnic-rpki-trust-anchor-locator/
no mention of indemnification, restrictions, liability, limitations or
an agreement

If we take a look at other important PKI root certificates:

https://www.geotrust.com/resources/root-certificates/
    quote: "There is no charge for use under these terms and You are not
    required to sign the agreement to make use of the Root
    Certificates."

https://www.iana.org/dnssec/files
    *all* of DNSSEC depends on this one, no mention of indemnification,
    restrictions, liability, limitations or an agreement

https://support.comodo.com/index.php?/Knowledgebase/List/Index/71
    no mention of indemnification, restrictions, liability, limitations
    or an agreement

https://support.globalsign.com/customer/en/portal/articles/1426602-globalsign-root-certificates
    no mention of indemnification, restrictions, liability, limitations
    or an agreement

The list goes on and on...

What makes ARIN's situation unique compared to other PKI systems and
certificate authorities? I only see examples where relying parties are
accomodated in every possible way for access to the root certificates.

Shouldn't the indemnification be just between ARIN and the resource
holder? Is there really a necessity to have relying parties agree to
anything?

Kind regards,

Job

Follow-Ups:
- ARIN RPKI TAL deployment issues
  - From: jcurran at arin.net (John Curran)

References:
- ARIN RPKI TAL deployment issues
  - From: job at ntt.net (Job Snijders)
- ARIN RPKI TAL deployment issues
  - From: jcurran at istaff.org (John Curran)
- ARIN RPKI TAL deployment issues
  - From: job at ntt.net (Job Snijders)
- ARIN RPKI TAL deployment issues
  - From: jcurran at arin.net (John Curran)
- ARIN RPKI TAL deployment issues
  - From: jared at puck.nether.net (Jared Mauch)
- ARIN RPKI TAL deployment issues
  - From: jcurran at arin.net (John Curran)
- ARIN RPKI TAL deployment issues
  - From: morrowc.lists at gmail.com (Christopher Morrow)
- ARIN RPKI TAL deployment issues
  - From: jcurran at arin.net (John Curran)
- ARIN RPKI TAL deployment issues
  - From: dot at dotat.at (Tony Finch)
- ARIN RPKI TAL deployment issues
  - From: jcurran at arin.net (John Curran)

Prev by Date: CloudFlare D.N.S. Resolvers... (1.1.1.1 & 1.0.0.1)
Next by Date: ARIN RPKI TAL deployment issues
Previous by thread: ARIN RPKI TAL deployment issues
Next by thread: ARIN RPKI TAL deployment issues
Index(es):
- Date
- Thread