[arin-discuss] Question about the ARIN Relying Party Agreement - RPKI 'everyone must sign' and such...

[John Curran]

On Dec 5, 2012, at 3:21 PM, "George, Wes" <wesley.george at twcable.com<mailto:wesley.george at twcable.com>> wrote:

[WEG] Sorry John, that’s kind of a cop-out answer to a legitimate question. I am neither a lawyer, a CEO, nor an expert when it comes to PKI, but If I were being asked to set up a procedural and contractual framework for a new type of PKI that had potentially nasty new failure modes and questions over liability, one of the first places I would look for precedent and clues would be existing CAs, with a specific eye toward whether they use the indemnification/hold harmless model vs something less stringent like “no warranty” or if they instead acknowledge that there is a potential for liability if there is demonstrable negligence on the part of the CA. I’d even be looking to see if there were relevant cases stemming from the breaches of Diginotar and Comodo that dealt with liability/negligence, especially as it related to third-party involvement.
Are you telling me that as a part of ARIN’s lengthy due dilligence regarding the legal issues surrounding this that you didn’t look at this for guidance? As a related question to Chris’s, is there something about the operating agreement that the other RIRs have in place with their members or the laws in the region in which they’re incorporated that hasn’t made them all say “aha, ARIN is right, we should all implement an RPA lest we get sued” ?

Wes -

 We've done extensively legal work, but outlining the circumstances of
 potential liability publicly is not something that makes sense for ARIN
 to do.   If you obtain commercial certificates (e.g. SSL), you will generally
 find that you enter into agreements that require you provide indemnification
 to the provider based on your use of the certificate.

[WEG] It’s possible that these are mutually exclusive goals. Unless there is precedent to the contrary, I think it is a reasonable expectation that if you wish to be trusted as a certificate authority or TA, you have to have the necessary documented rigor in your processes and methods to be seen as a trustworthy source, such that it is defensible when someone comes back trying to blame you when something goes pear-shaped.

Indeed.  In fact, we likely are stronger there in terms of process and systems
than anyone would expect.

A signed contract indemnifying you is unlikely to prevent savvy lawyers from trying to prove demonstrable negligence if they believe that it exists, while proof that you have good process in place and you followed it exactly but something happened beyond your control will go a long way.

Agreed.  I am not at all worried about our performance or any fault on ARIN's part,
but that will not deter a multiyear litigation over proving exactly that fact.  This is
why an indemnification is rather important, because it reduces the potential for
such litigation upfront, and hence why it is a standard component of many types
of service contracts including ISP and certificate providers.

FYI,
/John

John Curran
President and CEO
ARIN





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-discuss/attachments/20121205/f6457728/attachment.html>