[arin-discuss] Question about the ARIN Relying Party Agreement - RPKI 'everyone must sign' and such...

John Curran jcurran at arin.net
Wed Dec 5 05:47:56 EST 2012 

On Dec 5, 2012, at 1:40 AM, Christopher Morrow <morrowc.lists at gmail.com>
 wrote:
> doesn't the CPS do this though as well? It's part of the point of the
> CPS really, I thought.

The CPS is not legally binding on its own; ergo, an organization may
not even bother to read it.

>> its capabilities, and is baseline requirement contained in RFC 5280
>> for prospective relying parties prior to them relying on the
>> authentication or non-repudiation services associated with the public
>> key in a particular certificate.
> 
> 5280 is an rfc about CRLs and basic pkix x509 certs...

And that RFC states basic requirements needed for the PKIX x509 profile 
to work successfully, including: 

"
2.  Requirements and Assumptions

   The goal of this specification is to develop a profile to facilitate
   the use of X.509 certificates within Internet applications for those
   communities wishing to make use of X.509 technology.  Such
   applications may include WWW, electronic mail, user authentication,
   and IPsec.  In order to relieve some of the obstacles to using X.509
   certificates, this document defines a profile to promote the
   development of certificate management systems, development of
   application tools, and interoperability determined by policy.
...
   A certificate user should review the certificate policy generated by
   the certification authority (CA) before relying on the authentication
   or non-repudiation services associated with the public key in a
   particular certificate.  To this end, this standard does not
   prescribe legally binding rules or duties.
"

>> Acknowledging the RPA occurs once with the download of ARIN's TAL;
>> while it is an additional step, it's likely to be relatively small
>> compared to the myriad of other tasks involved in setup of any RPKI-
>> based validation.
> 
> sure, maybe. it seems like an unnecessary step though, since the same
> sort of data is in the CPS, i think.

It being in the CPS does not mean that an organization has actually
considered it; it is the that very evaluation that results from being
bound to conditions in the CP/CPS which underlies the purpose of the RPA.

>> This is also important to ARIN as an organization, as having a record
>> that parties will not rely on the RPKI services at this time for life-
>> critical or environmentally critical (as an example) could be important
>> in some circumstances, and protecting ARIN in the rollout of this new
>> service was deemed a priority by the Board.
> 
> this is covered in the cps, I think...you could certainly add  in the
> 'do not rely on this for life relevant services' if you wanted, but
> really  8.8 seems to cover it, to me.

See above: not legally binding and may not even be seen unless
referenced in actual agreement (and I'm not sure we all want to 
live in a world where terms of a CPS bind simply by verifying 
the certificates that come out of the associated CA...)

FYI,
/John

John Curran
President and CEO
ARIN

More information about the ARIN-discuss mailing list