On 26 Sep 2018, at 6:42 AM, Tony Finch <dot@dotat.at> wrote:
John Curran <jcurran@arin.net> wrote:
On 26 Sep 2018, at 2:09 AM, Christopher Morrow <morrowc.lists@gmail.com<mailto:morrowc.lists@gmail.com>> wrote:
how is arin's problem here different from that which 'lets encrypt' is facing with their Cert things?
The “Let’s encrypt” subscriber agreement (current version 1.2, 15 Nov 2018) includes "indemnify and hold harmless” clause, and parties affirmatively agree to those terms by requesting that ISRG issue a "Let’s Encrypt” Certificate to you.
The difference is that the Let's Encrypt agreement is for people obtaining certificates from them. The ARIN equivalent would be the agreement for ARIN members.
Let's Encrypt does not require an agreement from relying parties (i.e. browser users), whereas ARIN does.
Tony - That is correct; I did not say that they were parallel situations, only pointing out that the Let’s Encrypt folks also go beyond simply providing services “as is”, and require indemnification from those engaging their CA services, just as ARIN, RIPE, APNIC do… ARIN and APNIC go further by having indemnification by parties using information in the CA; in ARIN’s case, this requires an explicit act of acceptance to be legally valid. Thanks! /John John Curran President and CEO ARIN