RIPE NCC Certification Service Terms and Conditions
Introduction
This document will stipulate the Terms and Conditions for the RIPE NCC Certification Service. The RIPE NCC Certification Service is based on Internet Engineering Task Force (IETF) standards, in particular RFC 3647, "Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework", RFC 3779, "X.509 Extensions for IP Addresses and AS Identifiers", and the "Certificate Policy (CP) for the Resource Public Key Infrastructure (RPKI)".
Article 1 - Definitions
In the Terms and Conditions, the following terms shall be understood to have the meanings assigned to them below:
RIPE NCC - Réseaux IP Européens Network Coordination Centre, a membership association under Dutch law, with a registered office in Amsterdam, the Netherlands.
Member – A natural person or a legal entity that has entered into the RIPE NCC Standard Service Agreement with the RIPE NCC.
End User - A natural person or a legal entity that is assigned Independent Internet Number Resources from the RIPE NCC through an agreement with a Member.
Independent Internet Number Resources: Internet Number Resources (Autonomous System (AS) Number, Provider Independent (PI), IPv4 and IPv6), Internet Exchange Point (IXP) and anycasting assignments directly allocated by the RIPE NCC.
Certificate – Digitally signed data object generated by the RIPE NCC Certification Service.
Certificate Holder – RIPE NCC Member or End User who uses the RIPE NCC Certification Service.
RIPE NCC Certification Service – The RIPE NCC service through which the Certificates are issued or revoked and RPKI-signed objects are created, modified, or deleted.
Internet number resources – Globally unique IP addresses (IPv4 and IPv6) and Autonomous System Numbers (ASNs) registered with an Internet Number Registry, such as the RIPE NCC, that allocates Internet number resources and holds and publishes details of Internet number resource information.
RPKI-signed objects – Digitally signed data objects created using the Certificate, such as Route Origin Authorisation (ROA) objects.
ROA object – Route Origin Authorisation object, an RPKI-signed object that binds a set of IP address blocks to an ASN.
Route Origin Validation (ROV) - a cryptographic validation mechanism based on RFC6811, by which BGP announcements can be authenticated as originating from the autonomous system number (ASN) specified in the ROA object, and may reject BGP announcements that are not originating from the ASN as specified in the ROA object or have a prefix length that is not consistent with the prefix length as specified in the ROA object.
LIR Portal – The secure web interface through which Members access various RIPE NCC services.
Repository – A publicly accessible location where the RIPE NCC publishes all Certificates, Certificate Revocation Lists (CRLs) and RPKI-signed objects of the Certificate Holder who chose the Hosted CA setup and available to download by third parties under the RIPE NCC Certification Repository Terms and Conditions.
CA – Certification Authority. CA is an entity that issues, publishes and revokes the Certificates.
Hosted CA – Type of CA setup technically hosted in the secure infrastructure of the RIPE NCC. The RIPE NCC as Hosted CA is responsible for all cryptographic operations of the RIPE NCC Certification Service, as well as for hosting the Certificate Holder's public and private key pair.
Delegated CA – Type of CA setup technically hosted by the RIPE NCC Member or End User, who chooses the Delegated CA setup instead of the Hosted CA. The Certificate Holder, as a Delegated CA, manages their CA on their own infrastructure instead of that of the RIPE NCC, including the hosting of the public and private key pair.
Publish in Parent Service – RIPE NCC service based on RFC 8181 through which the Delegated CA can choose to publish their Certificates, CRLs and RPKI-signed objects in the RIPE NCC Publish in Parent Repository instead of their own infrastructure.
Publish in Parent Repository – A publicly accessible location where the RIPE NCC publishes all Certificates, CRLs and RPKI-signed objects of the Certificate Holders who chose the Publish in Parent Service as part of the Delegated CA setup.
RIPE community - RIPE (Réseaux IP Européens) is a collaborative forum open to all parties interested in wide area IP networks in Europe and beyond. The objective of RIPE is to ensure the administrative and technical coordination necessary to enable the operation of a pan-European IP network.
Article 2 – General
2.1. The Terms and Conditions come into effect by means of an offer and an acceptance. By clicking the button “I accept. Create my Certificate Authority” in the LIR Portal, Members or End Users confirm that that they have read, understood and agree to be bound by these Terms and Conditions.
2.2. The RIPE NCC reserves the right to amend these Terms and Conditions. The RIPE NCC shall notify the Certificate Holder of such amendments. After such amendments, the Certificate Holder may continue to use the RIPE NCC Certification Service, provided they read, understand and agree to the amended Terms and Conditions.
2.3. These Terms and Conditions prevail over explanatory documents regarding the RIPE NCC Certification Service, including the Certification Practice Statement, which exists for convenience and informational purposes only and does not affect the interpretation of these Terms and Conditions.
Article 3 – Use of the RIPE NCC Certification Service
3.1. Upon the Certificate Holder agreeing to these Terms and Conditions, the RIPE NCC shall generate a Certificate for the Certificate Holder . The Certificate will reflect the registration of the Member's or the End User’s Internet number resources according to the RIPE NCC's registration records. Certificates may not be available for all types of Internet number resources. The RIPE NCC will not attach any other data to the Certificate (including personal data or data referring to the name, trade name or operations of the Certificate Holder ).
3.2. The Certificate Holder shall use the RIPE NCC Certification Service for the following purposes only:
- To assert that the Internet number resources indicated in the Certificate are registered with the Certificate Holder.
- To configure specifications for creating or revoking ROA objects.
3.3. Use of the RIPE NCC Certification Service or of Certificates for any other purpose, including identification purposes, is not recognised.
3.4. The Certificate Holder shall be responsible for any use of the RIPE NCC Certification Service or of the Certificate.
3.5. The Certificate Holder is not obliged to create ROA objects. The Certificate Holder acknowledges and agrees that creating ROA objects that do not reflect their BGP routing intentions or failing to maintain ROA objects so that they reflect their BGP routing intentions may result in rejected BGP announcements.
3.6. The RIPE NCC may perform ROV on its own network. The Certificate Holder acknowledges and agrees that if a BGP announcement does not match to the ROA object, the BGP announcement may be rejected, which can result in loss of access to the ripe.net domain and any sub-domains thereof.
3.7. The use of the RIPE NCC Certification Service or the Certificate does not support claims of alleged "ownership" of Internet number resources. Internet number resources registered by the RIPE NCC are subject to and exclusively governed by the policies adopted by the RIPE community.
3.8. The RIPE NCC Certification Service and the Certificate(s) will be available on a best effort basis and the RIPE NCC may suspend its operation or liability to the Certificate Holder for technical, legal, anti-abuse or any other reasons within the scope of managing the operations of the RIPE NCC Certification Service.
3.9. The RIPE NCC shall publish the generated Certificate and any RPKI-signed objects created using the Certificate of the Certificate Holders who chose the Hosted CA setup in the Repository under the RIPE NCC Certification Repository Terms and Conditions. The Certificate Holder agrees with the use of the Repository as defined in the RIPE NCC Certification Repository Terms and Conditions.
3.10. The RIPE NCC shall publish the generated Certificate and any RPKI-signed objects of the Certificate Holders who chose the Publish in Parent Service as part of the Delegated CA setup in the Publish in Parent Repository under the RIPE NCC Publish in Parent Service and Repository Terms and Conditions. The relevant Certificate Holder agrees with the use of the Publish in Parent Repository as defined in the RIPE NCC Publish in Parent Service Term and Conditions.
Article 4 – Control of Use
4.1. The RIPE NCC is entitled to restrict any unauthorised use or to correct unauthorised use of the RIPE NCC Certification Service. For this purpose, the RIPE NCC may perform security checks and audits.
4.2. The Certificate Holder must assist the RIPE NCC with security checks and audits as appropriate.
Article 5 – Revocation of Certificates
5.1. The RIPE NCC shall revoke a Certificate without any notice if any of the following cases occur:
- The Certificate is inconsistent with the RIPE NCC registration records of the Certificate Holder’s Internet number resources. In this case, the RIPE NCC will replace the revoked Certificate with a Certificate that matches the registration of the Certificate Holder’s Internet number resources. The Certificate Holder will not receive notice of the replacement of the Certificate. Any RPKI-signed objects created by the revoked Certificate for Internet number resources that are not indicated in the new Certificate shall be invalid.
- For technical or security reasons, for example in case the Certificate is compromised. In this case, the RIPE NCC will replace the revoked Certificate with a new Certificate. The Certificate Holder will not receive notice of the replacement of the Certificate.
- The Certificate Holder violates these Terms and Conditions.
5.2. The RIPE NCC shall publish the revoked Certificates in a Certificate Revocation List (CRL).
5.3. The RIPE NCC shall publish all CRLs of the Hosted CA setup Certificate Holders in the Repository.
5.4. The RIPE NCC shall publish all CRLs of Delegated CA setup Certificate Holders who chose the Publish in Parent Service in the Publish in Parent Repository.
Article 6 – Liability
6.1. Use of the RIPE NCC Certification Service is at the Member's or the Certificate Holder’s own risk.
6.2. The Certificate Holder shall be liable for all aspects of their use of the RIPE NCC Certification Service and the Certificate.
6.3. The RIPE NCC is in no way liable for any damages, including, but not limited to, damages to the Certificate Holder’s business, loss of profit, damages to third parties, personal injury or damages to property, except in cases involving wilful misconduct or gross negligence on the part of the RIPE NCC.
6.4. The RIPE NCC shall, in any event, not be liable for non-performance or damages due to force majeure, including but not limited to industrial action, strikes, occupations and sit-ins, blockades, embargoes, governmental measures, denial of service attacks, war, revolutions or comparable situations, power failures, defects in electronic lines of communication, fire, explosions, damage caused by water, floods and earthquakes.
6.5. The RIPE NCC is not liable in the case that local legislation prohibits the use of the RIPE NCC Certification Service or of the Certificate or the use of any technical aspects of the RIPE NCC Certification Service or of the Certificate.
6.6. The Certificate Holder shall indemnify the RIPE NCC against any and all third party claims filed against the RIPE NCC in relation to the Certificate Holder’s use of the RIPE NCC Certification Service or the Certificate.
6.7. Any rights on the part of the Certificate Holder towards the RIPE NCC in connection with the generation or replacement of the Certificate and the use thereof shall finally and unconditionally lapse one year from the date on which the Certificate Holder became aware of (or could in all fairness have been aware of) the existence of such rights. This one-year term can only be barred or interrupted by actual legal action instituted by the Certificate Holder against the RIPE NCC.
Article 7 - Miscellaneous
7.1. The RIPE NCC's intellectual property (agreements, documents, software, databases, website, etc.) may only be used, reproduced and made available to third parties upon prior written authorisation from the RIPE NCC.
7.2. The RIPE NCC Publish in Parent Service is only available via the LIR Portal and access to the LIR Portal is therefore a prerequisite for access to this Service.
7.3. If any provision contained in the Terms and Conditions is held to be invalid by a court of law, this shall not in any way affect the validity of the remaining provisions.
7.4. The titles appearing next to the articles of these Terms and Conditions are for convenience only and shall not be taken into account for the interpretation of the articles.
Article 8 - Governing Law
8.1. These Terms and Conditions shall be exclusively governed by the laws of the Netherlands. The competent court in Amsterdam shall have exclusive jurisdiction with regard to disputes arising from these Terms and Conditions.