On 26 Sep 2018, at 8:21 AM, Job Snijders <j...@ntt.net<mailto:j...@ntt.net>> wrote:
ARIN and APNIC go further by having indemnification by parties using information in the CA; in ARIN’s case, this requires an explicit act of acceptance to be legally valid. Are you sure about APNIC? The APNIC TAL is available here in a plain and simple format: https://www.apnic.net/community/security/resource-certification/apnic-rpki-trust-anchor-locator/ no mention of indemnification, restrictions, liability, limitations or an agreement Job - From <https://www.apnic.net/manage-ip/myapnic/digital-certificates/ca-terms-conditions/> "CA Terms & Conditions APNIC’s Certification Authority (CA) services are provided under the following terms and conditions: ... • The recipient of any Digital Certificates issued by the APNIC CA service will indemnify APNIC against any and all claims by third parties for damages of any kind arising from the use of that certificate.” I imagine that folks are not aware of that (just as they are unaware of the indemnification in most RIR service agreements) due to absence of any requirement to explicitly acknowledge same. What makes ARIN's situation unique compared to other PKI systems and certificate authorities? I only see examples where relying parties are accomodated in every possible way for access to the root certificates. The requirement upon relying parties is not unique among RIRs - see above re APNIC. There is nothing inherent to PKI that requires specific terms (e.g. indemnification for damages arising from use), but it should not be surprising that the PKI use for routing validation poses the opportunity for very significant damage claims if not done by every network operator according to best practices. In the case of ARIN, this does necessitate indemnification in order to reduce risk exposure to the overall RIR mission. Thanks, /John John Curran President and CEO ARIN
