[arin-discuss] Question about the ARIN Relying Party Agreement - RPKI 'everyone must sign' and such...

John Curran jcurran at arin.net
Thu Dec 6 20:47:38 EST 2012


On Dec 5, 2012, at 5:18 PM, Owen DeLong <owen at delong.com<mailto:owen at delong.com>> wrote:

On Dec 5, 2012, at 13:18 , John Curran <jcurran at arin.net<mailto:jcurran at arin.net>> wrote:
Wes -

 We've done extensively legal work, but outlining the circumstances of
 potential liability publicly is not something that makes sense for ARIN
 to do.   If you obtain commercial certificates (e.g. SSL), you will generally
 find that you enter into agreements that require you provide indemnification
 to the provider based on your use of the certificate.

But the purchaser (web site) is rarely the relying party (visitor to web site).

Correct.  In the case of an SSL certificate, the organization obtaining it is generally
the harmed party if something goes wrong or they misuse it (e.g. Internet users can't
get to their application, or receive an interesting warning,etc.)  While the relying party
is technically the end-user and his browser, the consequences for any one user is
really quite low.  The user may not indemnify the certificate provider as a result, but
the organization obtaining the certificate does.

With ARIN RPKI, you've seriously expanded and  effectively reversed the
nature of the contractual relationship in the creation of the RPA. You're
not only requiring those receiving certificates to sign, you're requiring
those obtaining certificate data to sign.

Those validating certificates are "relying parties", and yes, we require them to
have a "relying party agreement."  Note that in this case, the relying party is
likely to be an entire organization or service provider, as opposed to a single
user, and the consequences of incorrect usage could be quite extensive and
impacting many parties who are downstream of the relying party.  The scale
and potential for consequences to entire organizations otherwise unaware of
the use the technology more than warrants seeking indemnification from relying
parties, just as organizations using certificates for the web sites provide it their
service providers,

FYI,
/John

John Curran
President and CEO
ARIN


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-discuss/attachments/20121207/a72cf231/attachment.html>


More information about the ARIN-discuss mailing list