On Wed, Sep 26, 2018 at 11:07:49AM +0000, John Curran wrote: > > Let's Encrypt does not require an agreement from relying parties > > (i.e. browser users), whereas ARIN does. > > That is correct; I did not say that they were parallel situations, > only pointing out that the Let’s Encrypt folks also go beyond simply > providing services “as is”, and require indemnification from those > engaging their CA services, just as ARIN, RIPE, APNIC do…
Indeed, you can download the Let's Encrypt CA here: https://letsencrypt.org/certificates/ no mention of indemnification, restrictions, liability, limitations or an agreement. > ARIN and APNIC go further by having indemnification by parties using > information in the CA; in ARIN’s case, this requires an explicit act > of acceptance to be legally valid. Are you sure about APNIC? The APNIC TAL is available here in a plain and simple format: https://www.apnic.net/community/security/resource-certification/apnic-rpki-trust-anchor-locator/ no mention of indemnification, restrictions, liability, limitations or an agreement If we take a look at other important PKI root certificates: https://www.geotrust.com/resources/root-certificates/ quote: "There is no charge for use under these terms and You are not required to sign the agreement to make use of the Root Certificates." https://www.iana.org/dnssec/files *all* of DNSSEC depends on this one, no mention of indemnification, restrictions, liability, limitations or an agreement https://support.comodo.com/index.php?/Knowledgebase/List/Index/71 no mention of indemnification, restrictions, liability, limitations or an agreement https://support.globalsign.com/customer/en/portal/articles/1426602-globalsign-root-certificates no mention of indemnification, restrictions, liability, limitations or an agreement The list goes on and on... What makes ARIN's situation unique compared to other PKI systems and certificate authorities? I only see examples where relying parties are accomodated in every possible way for access to the root certificates. Shouldn't the indemnification be just between ARIN and the resource holder? Is there really a necessity to have relying parties agree to anything? Kind regards, Job
