[arin-discuss] Question about the ARIN Relying Party Agreement - RPKI 'everyone must sign' and such...
Owen DeLong
owen at delong.com
Wed Dec 5 17:18:07 EST 2012
On Dec 5, 2012, at 13:18 , John Curran <jcurran at arin.net> wrote:
> On Dec 5, 2012, at 3:21 PM, "George, Wes" <wesley.george at twcable.com> wrote:
>
>> [WEG] Sorry John, that’s kind of a cop-out answer to a legitimate question. I am neither a lawyer, a CEO, nor an expert when it comes to PKI, but If I were being asked to set up a procedural and contractual framework for a new type of PKI that had potentially nasty new failure modes and questions over liability, one of the first places I would look for precedent and clues would be existing CAs, with a specific eye toward whether they use the indemnification/hold harmless model vs something less stringent like “no warranty” or if they instead acknowledge that there is a potential for liability if there is demonstrable negligence on the part of the CA. I’d even be looking to see if there were relevant cases stemming from the breaches of Diginotar and Comodo that dealt with liability/negligence, especially as it related to third-party involvement.
>> Are you telling me that as a part of ARIN’s lengthy due dilligence regarding the legal issues surrounding this that you didn’t look at this for guidance? As a related question to Chris’s, is there something about the operating agreement that the other RIRs have in place with their members or the laws in the region in which they’re incorporated that hasn’t made them all say “aha, ARIN is right, we should all implement an RPA lest we get sued” ?
>
> Wes -
>
> We've done extensively legal work, but outlining the circumstances of
> potential liability publicly is not something that makes sense for ARIN
> to do. If you obtain commercial certificates (e.g. SSL), you will generally
> find that you enter into agreements that require you provide indemnification
> to the provider based on your use of the certificate.
But the purchaser (web site) is rarely the relying party (visitor to web site).
With ARIN RPKI, you've seriously expanded and effectively reversed the
nature of the contractual relationship in the creation of the RPA. You're
not only requiring those receiving certificates to sign, you're requiring
those obtaining certificate data to sign.
Owen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-discuss/attachments/20121205/3fcd7435/attachment.html>
More information about the ARIN-discuss
mailing list