From: NANOG <> on behalf of John Curran 
Date: Wednesday, 26 September 2018 at 16:51
To: Tony Finch <>
Cc: David Wishnick <>, nanog list <>, 
"" <>, Job Snijders <>
Subject: Re: ARIN RPKI TAL deployment issues

On 26 Sep 2018, at 11:02 AM, Tony Finch <<>> 

John Curran <<>> wrote:


"CA Terms & Conditions

APNIC’s Certification Authority (CA) services are provided under the
following terms and conditions: ...

• The recipient of any Digital Certificates issued by the APNIC CA
service will indemnify APNIC against any and all claims by third parties
for damages of any kind arising from the use of that certificate.”

That's about certificates, not about trust anchors. It applies to APNIC
members and account holders, not to relying parties.

Tony -

Interesting assertion… while APNIC does issue digital certificates to APNIC 
customers for identity authentication purposes, it also issues digital 
certificates for RPKI.

It’s possible that the intent that the term “Digital Certificates” 
(capitalized) in the CA Terms and Conditions refers to only to those within 
APNIC’s identity CA, but the argument against that would be APNIC’s online 
information about "Digital Certificates" -

=== From 

What is a Digital Certificate?

Digital Certificates bind an identity to a pair of electronic keys that can be 
used to encrypt and sign digital information. APNIC uses electronic 
certificates to prove its own identity, the identity of its Members, and the 
right-of-use over Internet resources.

APNIC issues regular Public Key Infrastructure (PKI) certificates for access 
control to APNIC services such as the MyAPNIC Member services website.

In the case of Resource Certification, APNIC issues Resource Public Key 
Infrastructure (RPKI) certificates that have ‘Certificate Extensions’ added. 
These Certificate Extensions carry the Internet number resources allocated or 
assigned to the APNIC Member who is the subject of the Resource Certificate. 
These Resource Certificates are different to the identity certificates used for 
Web system access, and may only be used in the context of verifying an entity’s 
“right-of-use” over an IP address or AS. As a result, APNIC now manages two 
independent certificate authorities, one for Member services, and the second 
for Resource Certification.

Given that APNIC explicitly mentions the RPKI electronic certificates in their 
explanation of what Digital Certificates are (and further noting that ROA’s do 
indeed contain within them end-entity resource certificates with keys for 
verification), APNIC”s overall CA Terms and Conditions, including the 
referenced indemnification clause, would appear to be applicable to their RPKI 
CA services.

If the intent was indeed to limit the scope, then then APNIC could have easily 
used the term “Identity Certificates” in the indemnification clause to make 
clear its limited scope; i.e. if you’re particularly concerned about liability 
from the resulting indemnification, it might be best to get this clarified one 
way or the other from APNIC.


John Curran
President and CEO

I asked APNIC about this and they confirmed that making use of their RPKI TAL 
does not bind you to their CA terms and conditions, so there’s no indemnity 

Edward Dore
Freethought Internet

Reply via email to