[arin-discuss] Question about the ARIN Relying Party Agreement - RPKI 'everyone must sign' and such...

George, Wes wesley.george at twcable.com
Wed Dec 5 15:21:50 EST 2012


Replying to http://lists.arin.net/pipermail/arin-discuss/2012-December/002340.html
Apologies for the weird quoting method, I don't have the actual email to reply to because I was following this thread via the archive until just now when I subscribed/delurked.

*         From: John Curran (jcurran at arin.net<mailto:arin-discuss%40arin.net?Subject=Re%3A%20%5Barin-discuss%5D%20Question%20about%20the%20ARIN%20Relying%20Party%20Agreement%0A%20-%20RPKI%20%27everyone%20must%20sign%27%20and%20such...&In-Reply-To=%3C2617B950-F76A-453C-9C41-697C1B36B246%40arin.net%3E>)

On Dec 5, 2012, at 1:16 PM, Christopher Morrow <morrowc.lists at gmail.com<http://lists.arin.net/mailman/listinfo/arin-discuss>> wrote:



> Do other certificate/CA people require you to download and agree to an

> RPA-like thing before using their services? (I'm thinking of like

> Thawte, CN-NIC, Verisign^H^H^H^H^HSymantec, GlobalTrust, etc?) I don't

> think they do, why don't they? Their certs could be used to sign

> things on 'emergency services/etc' things, no?



You would have to check such parties about the terms and conditions on

their services.

[WEG] Sorry John, that's kind of a cop-out answer to a legitimate question. I am neither a lawyer, a CEO, nor an expert when it comes to PKI, but If I were being asked to set up a procedural and contractual framework for a new type of PKI that had potentially nasty new failure modes and questions over liability, one of the first places I would look for precedent and clues would be existing CAs, with a specific eye toward whether they use the indemnification/hold harmless model vs something less stringent like "no warranty" or if they instead acknowledge that there is a potential for liability if there is demonstrable negligence on the part of the CA. I'd even be looking to see if there were relevant cases stemming from the breaches of Diginotar and Comodo that dealt with liability/negligence, especially as it related to third-party involvement.
Are you telling me that as a part of ARIN's lengthy due dilligence regarding the legal issues surrounding this that you didn't look at this for guidance? As a related question to Chris's, is there something about the operating agreement that the other RIRs have in place with their members or the laws in the region in which they're incorporated that hasn't made them all say "aha, ARIN is right, we should all implement an RPA lest we get sued" ?

As I noted earlier, my guidance was to provide the RPKI services without
posing undue risk to ARIN's existing mission

[WEG] It's possible that these are mutually exclusive goals. Unless there is precedent to the contrary, I think it is a reasonable expectation that if you wish to be trusted as a certificate authority or TA, you have to have the necessary documented rigor in your processes and methods to be seen as a trustworthy source, such that it is defensible when someone comes back trying to blame you when something goes pear-shaped. A signed contract indemnifying you is unlikely to prevent savvy lawyers from trying to prove demonstrable negligence if they believe that it exists, while proof that you have good process in place and you followed it exactly but something happened beyond your control will go a long way.

Wes George

________________________________
This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-discuss/attachments/20121205/21119c6a/attachment.html>


More information about the ARIN-discuss mailing list