<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier New";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1500578350;
mso-list-template-ids:-1707159426;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Replying to <a href="http://lists.arin.net/pipermail/arin-discuss/2012-December/002340.html">
http://lists.arin.net/pipermail/arin-discuss/2012-December/002340.html</a><o:p></o:p></p>
<p class="MsoNormal">Apologies for the weird quoting method, I don’t have the actual email to reply to because I was following this thread via the archive until just now when I subscribed/delurked.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:0in;text-indent:-.25in;line-height:18.0pt;mso-list:l0 level1 lfo1">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol;color:black"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><strong><span style="font-size:7.5pt;font-family:"Arial","sans-serif";color:black;border:none windowtext 1.0pt;padding:0in">From:</span></strong><span class="apple-converted-space"><b><span style="font-size:7.5pt;font-family:"Arial","sans-serif";color:black;border:none windowtext 1.0pt;padding:0in"> </span></b></span><span style="font-size:7.5pt;font-family:"Arial","sans-serif";color:black">John
Curran (<em><span style="font-family:"Arial","sans-serif";border:none windowtext 1.0pt;padding:0in"><a href="mailto:arin-discuss%40arin.net?Subject=Re%3A%20%5Barin-discuss%5D%20Question%20about%20the%20ARIN%20Relying%20Party%20Agreement%0A%20-%20RPKI%20%27everyone%20must%20sign%27%20and%20such...&In-Reply-To=%3C2617B950-F76A-453C-9C41-697C1B36B246%40arin.net%3E" title="[arin-discuss] Question about the ARIN Relying Party Agreement - RPKI 'everyone must sign' and such..."><span style="color:black">jcurran
at arin.net</span></a></span></em>)<o:p></o:p></span></p>
<div style="mso-element:para-border-div;border:none;border-top:solid black 1.0pt;padding:12.0pt 0in 0in 0in;background:white;margin-left:12.0pt;margin-right:0in">
<pre style="line-height:12.0pt;background:white;border:none;padding:0in"><span style="color:black">On Dec 5, 2012, at 1:16 PM, Christopher Morrow <<a href="http://lists.arin.net/mailman/listinfo/arin-discuss"><span style="font-size:9.0pt;color:black;border:none windowtext 1.0pt;padding:0in">morrowc.lists at gmail.com</span></a>> wrote:<o:p></o:p></span></pre>
<pre style="line-height:12.0pt;background:white;border:none;padding:0in"><span style="color:black"><o:p> </o:p></span></pre>
<pre style="line-height:12.0pt;background:white;border:none;padding:0in"><span style="color:black">></span><i><span style="font-size:9.0pt;color:black;border:none windowtext 1.0pt;padding:0in"> Do other certificate/CA people require you to download and agree to an<o:p></o:p></span></i></pre>
<pre style="line-height:12.0pt;background:white;border:none;padding:0in"><span style="color:black">></span><i><span style="font-size:9.0pt;color:black;border:none windowtext 1.0pt;padding:0in"> RPA-like thing before using their services? (I'm thinking of like<o:p></o:p></span></i></pre>
<pre style="line-height:12.0pt;background:white;border:none;padding:0in"><span style="color:black">></span><i><span style="font-size:9.0pt;color:black;border:none windowtext 1.0pt;padding:0in"> Thawte, CN-NIC, Verisign^H^H^H^H^HSymantec, GlobalTrust, etc?) I don't<o:p></o:p></span></i></pre>
<pre style="line-height:12.0pt;background:white;border:none;padding:0in"><span style="color:black">></span><i><span style="font-size:9.0pt;color:black;border:none windowtext 1.0pt;padding:0in"> think they do, why don't they? Their certs could be used to sign<o:p></o:p></span></i></pre>
<pre style="line-height:12.0pt;background:white;border:none;padding:0in"><span style="color:black">></span><i><span style="font-size:9.0pt;color:black;border:none windowtext 1.0pt;padding:0in"> things on 'emergency services/etc' things, no?<o:p></o:p></span></i></pre>
<pre style="line-height:12.0pt;background:white;border:none;padding:0in"><span style="color:black"><o:p> </o:p></span></pre>
<pre style="line-height:12.0pt;background:white;border:none;padding:0in"><span style="color:black">You would have to check such parties about the terms and conditions on <o:p></o:p></span></pre>
<pre style="line-height:12.0pt;background:white;border:none;padding:0in"><span style="color:black">their services.<o:p></o:p></span></pre>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">[WEG] Sorry John, that’s kind of a cop-out answer to a legitimate question. I am neither a lawyer, a CEO, nor an expert when it comes to PKI, but If I were being asked to set up a procedural and contractual framework for a new type of PKI
that had potentially nasty new failure modes and questions over liability, one of the first places I would look for precedent and clues would be existing CAs, with a specific eye toward whether they use the indemnification/hold harmless model vs something
less stringent like “no warranty” or if they instead acknowledge that there is a potential for liability if there is demonstrable negligence on the part of the CA. I’d even be looking to see if there were relevant cases stemming from the breaches of Diginotar
and Comodo that dealt with liability/negligence, especially as it related to third-party involvement.<o:p></o:p></p>
<p class="MsoNormal">Are you telling me that as a part of ARIN’s lengthy due dilligence regarding the legal issues surrounding this that you didn’t look at this for guidance? As a related question to Chris’s, is there something about the operating agreement
that the other RIRs have in place with their members or the laws in the region in which they’re incorporated that hasn’t made them all say “aha, ARIN is right, we should all implement an RPA lest we get sued” ?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="mso-element:para-border-div;border:none;border-top:solid black 1.0pt;padding:12.0pt 0in 0in 0in;background:white;margin-left:12.0pt;margin-right:0in">
<p class="MsoNormal" style="margin-top:6.0pt;line-height:12.0pt;background:white;border:none;padding:0in">
<span style="font-size:10.0pt;font-family:"Courier New";color:black">As I noted earlier, my guidance was to provide the RPKI services without<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-top:6.0pt;line-height:12.0pt;background:white;border:none;padding:0in">
<span style="font-size:10.0pt;font-family:"Courier New";color:black">posing undue risk to ARIN's existing mission<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-top:6.0pt;line-height:12.0pt;background:white;border:none;padding:0in">
<span style="font-size:10.0pt;font-family:"Courier New";color:black"><o:p> </o:p></span></p>
</div>
<p class="MsoNormal">[WEG] It’s possible that these are mutually exclusive goals. Unless there is precedent to the contrary, I think it is a reasonable expectation that if you wish to be trusted as a certificate authority or TA, you have to have the necessary
documented rigor in your processes and methods to be seen as a trustworthy source, such that it is defensible when someone comes back trying to blame you when something goes pear-shaped. A signed contract indemnifying you is unlikely to prevent savvy lawyers
from trying to prove demonstrable negligence if they believe that it exists, while proof that you have good process in place and you followed it exactly but something happened beyond your control will go a long way.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Wes George<o:p></o:p></p>
</div>
<br>
<hr>
<font face="Arial" color="Gray" size="1">This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely
for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to
this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout.<br>
</font>
</body>
</html>