You are here: Home > Manage IPs and ASNs > Documentation for Resource Management > Resource Public Key Infrastructure (RPKI) > Terms and Conditions > RIPE NCC Certification Service Terms and Conditions

RIPE NCC Certification Service Terms and Conditions

Introduction

This document will stipulate the Terms and Conditions for the RIPE NCC Certification Service. The RIPE NCC Certification Service is based on Internet Engineering Task Force (IETF) standards, in particular RFC3647, "Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework", RFC3779, "X.509 Extensions for IP Addresses and AS Identifiers", and the "Certificate Policy (CP) for the Resource Public Key Infrastructure (RPKI)".

Article 1 - Definitions

In the Terms and Conditions, the following terms shall be understood to have the meanings assigned to them below:

RIPE NCC - Réseaux IP Européens Network Coordination Centre, a membership association under Dutch law, with a registered office in Amsterdam, the Netherlands.

Member – A natural person or a legal entity that has entered into the RIPE NCC Standard Service Agreement with the RIPE NCC.

End User - A natural person or a legal entity that is assigned Independent Internet Number Resources from the RIPE NCC through an agreement with a Member.

Independent Internet Number Resources: Internet Number Resources (Autonomous System (AS) Number, Provider Independent (PI) IPv4 and IPv6), Internet Exchange Point (IXP) and anycasting assignments directly from the RIPE NCC.

Certificate – Digitally signed data object generated by the RIPE NCC Certification Service.

RIPE NCC Certification Service – The RIPE NCC service through which the Certificates are issued or revoked and RPKI-signed objects are created, modified, or deleted.

Internet number resources – Globally unique IP addresses (IPv4 and IPv6) and Autonomous System Numbers (ASNs) registered with an Internet Number Registry, such as the RIPE NCC, that allocates Internet number resources and holds and publishes details of Internet number resource information.

RPKI-signed objects – Digitally signed data objects created using the Certificate, such as Route Origin Authorisation (ROA) objects.

ROA object – Route Origin Authorisation object, an RPKI-signed object that binds a set of IP address blocks to an ASN.

Route Origin Validation (ROV) - a cryptographic validation mechanism based on RFC6811, by which BGP announcements can be authenticated as originating from the autonomous system number (ASN) specified in the ROA object, and may reject BGP announcements that are not originating from the ASN as specified in the ROA object or have a prefix length that is not consistent with the prefix length as specified in the ROA object.

LIR Portal – The secure web interface through which Members access various RIPE NCC services.

Repository – A publicly accessible location where all Certificates, Certificate Revocation Lists (CRLs) and RPKI-signed objects are published and available to download by third parties for validation purposes.

RIPE community - RIPE (Réseaux IP Européens) is a collaborative forum open to all parties interested in wide area IP networks in Europe and beyond. The objective of RIPE is to ensure the administrative and technical coordination necessary to enable the operation of a pan-European IP network.

Article 2 – General

2.1. The Terms and Conditions come into effect by means of an offer and an acceptance. By clicking the button “I accept. Create my Certificate Authority” in the LIR Portal, Members or End Users confirm that that they have read, understood and agree to be bound by these Terms and Conditions.

2.2. The RIPE NCC reserves the right to amend these Terms and Conditions. The RIPE NCC shall notify the Member or the End User of such amendments. After such amendments, a Member or an End User may continue to use the RIPE NCC Certification Service, provided they read, understand and agree to the amended Terms and Conditions.

2.3. These Terms and Conditions prevail over explanatory documents regarding the RIPE NCC Certification Service, including the Certification Practice Statement, which exists for convenience and informational purposes only and does not affect the interpretation of these Terms and Conditions.

Article 3 – Use of the RIPE NCC Certification Service

3.1. Upon the Member or the End User agreeing to these Terms and Conditions, the RIPE NCC shall generate a Certificate for the Member or the End User. The Certificate will reflect the registration of the Member's or the End User’s Internet number resources according to the RIPE NCC's registration records. Certificates may not be available for all types of Internet number resources. The RIPE NCC will not attach any other data to the Certificate (including personal data or data referring to the name, trade name or operations of the Member or the End User).

3.2. The Member or the End User shall use the RIPE NCC Certification Service for the following purposes only:

  • To assert that the Internet number resources indicated in the Certificate are registered with the Member or the End User

  • To configure specifications for creating or revoking ROA objects

3.3. Use of the RIPE NCC Certification Service or of Certificates for any other purpose, including identification purposes, is not recognised.

3.4. The Member or the End User shall be responsible for any use of the RIPE NCC Certification Service or of the Certificate.

3.5. The Member or the End User is not obliged to create ROA objects. The Member or the End User acknowledges and agrees that creating ROA objects that do not reflect their BGP routing intentions or failing to maintain ROA objects so that they reflect their BGP routing intentions may result in rejected BGP announcements.

3.6. The RIPE NCC may perform ROV on its own network. The Member or the End User acknowledges and agrees that if a BGP announcement does not match to the ROA object, the BGP announcement may be rejected, which can result in loss of access to the ripe.net domain and any sub-domains thereof.

3.7. The use of the RIPE NCC Certification Service or the Certificate does not support claims of alleged "ownership" of Internet number resources.  Internet number resources registered by the RIPE NCC are subject to and exclusively governed by the policies adopted by the RIPE community.

3.8. The RIPE NCC Certification Service and the Certificate(s) will be available on a best effort basis and the RIPE NCC may suspend its operation or liability to the Member or the End User for technical, legal, anti-abuse or any other reasons within the scope of managing the operations of the RIPE NCC Certification Service.

3.9. The RIPE NCC shall publish the generated Certificate and any RPKI-signed objects created using this Certificate in the Repository.

Article 4 – Control of Use

4.1. The RIPE NCC is entitled to restrict any unauthorised use or to correct unauthorised use of the RIPE NCC Certification Service. For this purpose, the RIPE NCC may perform security checks and audits.

4.2. Members or End Users must assist the RIPE NCC with security checks and audits as appropriate.

Article 5 – Revocation of Certificates

5.1. The RIPE NCC shall revoke a Certificate without any notice if any of the following cases occur:

  • The Certificate is inconsistent with the RIPE NCC registration records of the Member's or End User’s Internet number resources. In this case, the RIPE NCC will replace the revoked Certificate with a Certificate that matches the registration of the Member's or End User’s Internet number resources. The Member or the End User will not receive notice of the replacement of the Certificate. Any RPKI-signed objects created by the revoked Certificate for Internet number resources that are not indicated in the new Certificate shall be invalid.

  • For technical or security reasons, for example in case the Certificate is compromised. In this case, the RIPE NCC will replace the revoked Certificate with a new Certificate. The Member or the End User will not receive notice of the replacement of the Certificate.

  • The Member or the End User violates these Terms and Conditions.

5.2. The RIPE NCC shall publish the revoked Certificates in a Certificate Revocation List (CRL).

5.3. The RIPE NCC shall publish all CRLs in the Repository.

Article 6 – Liability

6.1. Use of the RIPE NCC Certification Service is at the Member's or the End User’s own risk.

6.2. The Member or the End User shall be liable for all aspects of their use of the RIPE NCC Certification Service and the Certificate.

6.3. The RIPE NCC is in no way liable for any damages, including, but not limited to, damages to the Member's or End User’s business, loss of profit, damages to third parties, personal injury or damages to property, except in cases involving wilful misconduct or gross negligence on the part of the RIPE NCC.

6.4. The RIPE NCC shall, in any event, not be liable for non-performance or damages due to force majeure, including but not limited to industrial action, strikes, occupations and sit-ins, blockades, embargoes, governmental measures, denial of service attacks, war, revolutions or comparable situations, power failures, defects in electronic lines of communication, fire, explosions, damage caused by water, floods and earthquakes.

6.5. The RIPE NCC is not liable in the case that local legislation prohibits the use of the RIPE NCC Certification Service or of the Certificate or the use of any technical aspects of the RIPE NCC Certification Service or of the Certificate.

6.6. The Member or the End User shall indemnify the RIPE NCC against any and all third party claims filed against the RIPE NCC in relation to the Member's or End User’s use of the RIPE NCC Certification Service or the Certificate.

6.7. Any rights on the part of the Member or the End User towards the RIPE NCC in connection with the generation or replacement of the Certificate and the use thereof shall finally and unconditionally lapse one year from the date on which the Member or the End User became aware of (or could in all fairness have been aware of) the existence of such rights. This one-year term can only be barred or interrupted by actual legal action instituted by the Member or the End User against the RIPE NCC. 

Article 7 - Miscellaneous

7.1. The RIPE NCC's intellectual property (agreements, documents, software, databases, website, etc.) may only be used, reproduced and made available to third parties upon prior written authorisation from the RIPE NCC.

7.2. The RIPE NCC Certification Service is only available via the LIR Portal and a precondition for authorised access to the RIPE NCC Certification Service is authorised access to the LIR Portal.

7.3. If any provision contained in the Terms and Conditions is held to be invalid by a court of law, this shall not in any way affect the validity of the remaining provisions.

Article 8 - Governing Law

8.1. These Terms and Conditions shall be exclusively governed by the laws of the Netherlands. The competent court in Amsterdam shall have exclusive jurisdiction with regard to disputes arising from these Terms and Conditions.

Please contact us if you need more information.

Stay up to date!

Follow the #RPKI hashtag on Twitter.