On 26 Sep 2018, at 11:02 AM, Tony Finch <dot@dotat.at> wrote:

John Curran <jcurran@arin.net> wrote:

From <https://www.apnic.net/manage-ip/myapnic/digital-certificates/ca-terms-conditions/>

"CA Terms & Conditions

APNIC’s Certification Authority (CA) services are provided under the
following terms and conditions: ...

• The recipient of any Digital Certificates issued by the APNIC CA
service will indemnify APNIC against any and all claims by third parties
for damages of any kind arising from the use of that certificate.”

That's about certificates, not about trust anchors. It applies to APNIC
members and account holders, not to relying parties.

Tony - 

Interesting assertion… while APNIC does issue digital certificates to APNIC customers for identity authentication purposes, it also issues digital certificates for RPKI. 

It’s possible that the intent that the term “Digital Certificates” (capitalized) in the CA Terms and Conditions refers to only to those within APNIC’s identity CA, but the argument against that would be APNIC’s online information about "Digital Certificates" -  

=== From <https://www.apnic.net/manage-ip/myapnic/digital-certificates/about-cas/>)

What is a Digital Certificate?

Digital Certificates bind an identity to a pair of electronic keys that can be used to encrypt and sign digital information. APNIC uses electronic certificates to prove its own identity, the identity of its Members, and the right-of-use over Internet resources.

APNIC issues regular Public Key Infrastructure (PKI) certificates for access control to APNIC services such as the MyAPNIC Member services website.

In the case of Resource Certification, APNIC issues Resource Public Key Infrastructure (RPKI) certificates that have ‘Certificate Extensions’ added. These Certificate Extensions carry the Internet number resources allocated or assigned to the APNIC Member who is the subject of the Resource Certificate. These Resource Certificates are different to the identity certificates used for Web system access, and may only be used in the context of verifying an entity’s “right-of-use” over an IP address or AS. As a result, APNIC now manages two independent certificate authorities, one for Member services, and the second for Resource Certification.
===

Given that APNIC explicitly mentions the RPKI electronic certificates in their explanation of what Digital Certificates are (and further noting that ROA’s do indeed contain within them end-entity resource certificates with keys for verification), APNIC”s overall CA Terms and Conditions, including the referenced indemnification clause, would appear to be applicable to their RPKI CA services. 

If the intent was indeed to limit the scope, then then APNIC could have easily used the term “Identity Certificates” in the indemnification clause to make clear its limited scope; i.e. if you’re particularly concerned about liability from the resulting indemnification, it might be best to get this clarified one way or the other from APNIC. 

Thanks!
/John

John Curran
President and CEO
ARIN