At 3:03 PM +0200 3/11/08, Pekka Savola wrote: >Hi, > >I asked on the mike about the success stories we have had with CPS in >other contexts in order to find out who is actually writing these >kinds of documents and whether it would be reasonable to expect any of >this in future RPKI work. > >There is probably some need to write at least a minimal statement if >you sell certificate authority services. It would be nice to have >these documents use a similar format (hence the CPS template) but >AFAICS it's also perfectly fine to use your own format; the IETF is >not a contract or documentation police :-).
You're right that you don't have to use the RFC 3647 format, but it is also true that the vast majority of folks who have written a CPS do follow that format. >On the other hand, if an ISP does not sell those services (but rather >is just an end-user and/or provides the service for free for its >customers), it's not obvious why most ISPs would be interested in >doing a lot of paperwork on this subject. Most ISPs already disclaim >any responsibility for pretty much anything that hasn't been >explicitly agreed to so not doing any paperwork would be compatible >with current practise. Even if an ISP is not selling its CA service per se,it is generally agreed that the issuance of certs creates a potential liability. The goal of a CPS (and the RPKI CP) in this context is to give the ISP (and its attorney) greater confidence that it is not assuming liability by acting as a CA in this context. Steve _______________________________________________ Sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
