[arin-discuss] Question about the ARIN Relying Party Agreement - RPKI 'everyone must sign' and such...
John Curran
jcurran at arin.net
Wed Dec 5 13:37:04 EST 2012
On Dec 5, 2012, at 1:16 PM, Christopher Morrow <morrowc.lists at gmail.com> wrote:
> On Wed, Dec 5, 2012 at 5:47 AM, John Curran <jcurran at arin.net> wrote:
>> ...
>> A certificate user should review the certificate policy generated by
>> the certification authority (CA) before relying on the authentication
>> or non-repudiation services associated with the public key in a
>> particular certificate. To this end, this standard does not
>> prescribe legally binding rules or duties.
>
> that's a bummer ;(
> Do other certificate/CA people require you to download and agree to an
> RPA-like thing before using their services? (I'm thinking of like
> Thawte, CN-NIC, Verisign^H^H^H^H^HSymantec, GlobalTrust, etc?) I don't
> think they do, why don't they? Their certs could be used to sign
> things on 'emergency services/etc' things, no?
You would have to check such parties about the terms and conditions on
their services.
> I'm concerned that we're being more cautious than is reasonable, and
> imposing some odd constraints/requirements on the global userbase.
As I noted earlier, my guidance was to provide the RPKI services without
posing undue risk to ARIN's existing mission. As a result, we need a real
relying partying agreement that makes plain the conditions of the service.
I'll note that we've also received praise from some folks who appreciate
ARIN's level of due diligence in this area, given that operators could be
adding a new component of risk to their existing business based on using
RPKI information from other parties, and accepting such risks is a decision
that should be made at an organizational level.
FYI,
/John
John Curran
President and CEO
ARIN
More information about the ARIN-discuss
mailing list