[arin-ppml] RPKI Relying Agreement

[Michael Sinatra]

On 12/04/2014 09:33, John Curran wrote:

>> Review
>> <http://www.apnic.net/services/manage-resources/digital-certificates/terms-and-conditions> 
>> wherein there is a limitation of liability and requirement that a
>> recipient of any digital certificate 
>> will indemnify APNIC against any and all claims by third parties for
>> damages of any kind arising 
>> from the use of that certificate. (last two bullets)

And as I mentioned to you in response, that final bullet applies to
"recipients of certificates issued by APNIC," so I would expect it to
apply to someone who has an EE cert for a set of resources, NOT to
someone who is using a trust anchor locator to validate the EE cert and
the ROAs derived from it.

If you take the interpretation that anyone who validates an APNIC cert
is indemnifying APNIC, then anyone who visits a website using TLS, where
the website has an APNIC cert as its TLS cert, is also indemnifying
APNIC.  IANAL, but I don't think anyone would see such an interpretation
as reasonable.

At any rate, I discussed this at an RPKI workshop at the Internet2 Tech
Exchange, and many of the EDU-types that I talked to there are in a
similar boat as I am--their organizations flat-out won't let them sign
such an agreement.  We're not going to have any reasonable uptake of
RPKI deployment with a TAL agreement like this one--it's a show stopper
for many organizations.

As always, I reserve the right to be wrong, and I look forward to seeing
the results of the survey, which I have completed on behalf of my
organization (ESnet, operated by the Lawrence Berkeley National Lab,
which is in turn operated by the University of California).

michael