netsec-sig - Re: [Security-WG] Fwd: [arin-announce] New RPKI Trust Anchor
Subject: Internet2 Network Security SIG
List archive
- From: David Farmer <>
- To:
- Subject: Re: [Security-WG] Fwd: [arin-announce] New RPKI Trust Anchor
- Date: Wed, 20 Sep 2017 16:17:29 -0500
- Ironport-phdr: 9a23:EG7NyhCSw6aJLBsM36udUyQJP3N1i/DPJgcQr6AfoPdwSPv/pMbcNUDSrc9gkEXOFd2CrakV26yO6+jJYi8p2d65qncMcZhBBVcuqP49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx7xKRR6JvjvGo7Vks+7y/2+94fdbghMhzexe69+IAmrpgjNq8cahpdvJLwswRXTuHtIfOpWxWJsJV2Nmhv3+9m98p1+/SlOovwt78FPX7n0cKQ+VrxYES8pM3sp683xtBnMVhWA630BWWgLiBVIAgzF7BbnXpfttybxq+Rw1DWGMcDwULs5Xymp4aV2Rx/ykCoINTA5/mHZhMJzkaxVvg6uqgdlzILIeoyYLuZycr/fcN4cWGFPXtxRVytEAo6kYYUAFfQBPedFoILgp1UBtwG+BQyyC+P11zRFgXH20rcg0+QkDw7GxhctH88LsHTSttn6KrodUf2swaTO0D7NYfRW2TLn54jJdBAsueuDXahxccrX00UvER3KjkmWpIf4PD2VzvwAv3WV4udvT+6iiGEqpxtsrjWrx8ogkJfFip4Wx1zc6yl13II4Kce7RUN7e9KoDoZcuiGAO4Z3Rs4vRXxjtjwgxb0co5G7eTAHyJQ5yB7bbPyKa42I4g75W+qIOTd1h2hpeLW+hxau60Sg1+j8Vs+u3FlUsyVFj8HAtnEL1xPN9siKUuZx80mu1DqV1A3e5ftILV0wmKfaMZIt3KI8m5kLvUTGBCD2mUH2jKGMdkUj/+il8+rnba/8pp+ZKYB0kBrzMrkrmsy5G+g3LBUBX3WD9eSmyLLj5VH5QKlNjvAuianWrozVJdkBpq64Hw9U0p8v6hiwDzq91NQYnGIHLE5eeB6ZlYTpOlfOIOzmAvelhVSjjitry+7cMrL/H5rNMyuLrLC0Zrt29lRd1Bt20t935pRIB6sHLe6pHEL9qY/2FBg8ZiC93efrQPt0zIYTQyrbDKaDNa7ImUKN4KQiL/TaN9xdgyr0N/Vwv62mtnQ+g1JIJaQ=
I believe this is at least partially resolved, there is no longer a click-through where you have to explicitly agree to ARIN's Relying Party Agreement. However, by using the TAL you are implicitly agreeing to ARIN's Relying Party Agreement. Note: By using the other RIR's TALs you are implicitly agreeing to very similar language embedded within their certificates as well. ARIN simply makes it's legal documents much more conspicuous than the other RIRs, but don't be fooled in to believing the other RIRs don't have applicable legal documents too, just like everything else relying on certificates, remember fundamentally a certificate is an attestation.
--
ARIN RPKI pointers;
Links directly to the TAL in various formats are available on the last page without any explicit click through agreement, like there was previously.
Hope that helps.
On Wed, Sep 20, 2017 at 3:14 PM, Dale W. Carder <> wrote:
Hey David, that's really good news.
Do you know if there is still an AUP (I think it was click-through, but
had problematic language, IIRC) to use the ARIN TA? I haven't looked
recently.
Dale
Thus spake David Farmer () on Wed, Sep 20, 2017 at 10:31:55AM -0500:
> FYI, I thought this might be of interest.
>
> ---------- Forwarded message ----------
> From: ARIN <>
> Date: Wed, Sep 20, 2017 at 8:13 AM
> Subject: [arin-announce] New RPKI Trust Anchor
> To:
>
>
> On 19 September 2017, ARIN held a key ceremony to move to a RPKI Trust
> Anchor that reflects all holdings (0/0) to fulfill our commitment to the
> deadline set by the Number Resource Organization (NRO) for all of the
> Regional Internet Registries (RIRs). This action is detailed in the “All
> Resources Applicability Statement” dated 21 January 2017:
>
> https://tools.ietf.org/html/draft-rir-rpki-allres-ta-app-sta tement
>
> "This document provides an applicability statement for the use of multiple,
> over-claiming ‘all resources’ (0/0) RPKI certificate authorities (CA)
> certificates used as trust anchors (TAs) operated by the Regional Internet
> Registry community to help mitigate the risk of massive downstream
> invalidation in the case of transient registry inconsistencies."
>
> To mitigate the risk and alleviate this threat, the RIRs agreed to move
> from a Trust Anchor that reflects only their current holdings to one that
> reflects all holdings. This improvement will provide a more robust way of
> allowing resources that are covered under RPKI to be transferred from one
> RIR to another.
>
> Note that current ARIN RPKI users do not need to re-download the TAL, as
> the TAL has not changed.
>
> If you are new to RPKI and want to start validating RPKI data from the ARIN
> region, you can download the ARIN TAL from the following location:
>
> https://www.arin.net/resources/rpki/tal.html
>
> Regards,
>
> Mark Kosters
> Chief Technology Officer
> American Registry for Internet Numbers (ARIN)
>
> _______________________________________
>
>
>
> --
> ===============================================
> David Farmer
> Networking & Telecommunication Services
> Office of Information Technology
> University of Minnesota
> 2218 University Ave SE Phone: 612-626-0815
> Minneapolis, MN 55414-3029 Cell: 612-812-9952
> ===============================================
===============================================
David Farmer
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE Phone: 612-626-0815
Minneapolis, MN 55414-3029 Cell: 612-812-9952
===============================================
David Farmer
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE Phone: 612-626-0815
Minneapolis, MN 55414-3029 Cell: 612-812-9952
==============================
- [Security-WG] Fwd: [arin-announce] New RPKI Trust Anchor, David Farmer, 09/20/2017
- Re: [Security-WG] Fwd: [arin-announce] New RPKI Trust Anchor, Dale W. Carder, 09/20/2017
- Re: [Security-WG] Fwd: [arin-announce] New RPKI Trust Anchor, David Farmer, 09/20/2017
- Re: [Security-WG] Fwd: [arin-announce] New RPKI Trust Anchor, Dale W. Carder, 09/20/2017
Archive powered by MHonArc 2.6.19.