[arin-discuss] Question about the ARIN Relying Party Agreement - RPKI 'everyone must sign' and such...

[Michael Sinatra]

Michael is traveling now, but he will try to chime in...

The issue that I have with the RPA is that it contains a 3rd party
indemnification clause that appears to require that I indemnify and
defend ARIN against any third-party claims.  As such, $my_employer will
not allow me to sign such a thing.

I can see why there may be a need for such indemnification; presumably
it avoids the issues that came up in the early(?) days of the RBLs,
where parties denied spamming "rights" through someone's email
infrastructure would sue the RBL operator.

OTOH, the indemnification clause does *appear* to also cover the case
where ARIN is truly negligent in its operation of its RPKI
infrastructure.  In such a case, I would have to assume the liability
and defend ARIN from a *third-party* complaint, even if it were clearly
ARIN's fault.

Managing my own risks is one thing; managing ARIN's is another.

But the practical issue is that I work for an employer that requires, at
a minimum, extensive gyrations before I can even click-through such an
agreement, which makes piloting RPKI (something I have promised members
of the SIDR working group I would do) very difficult and much more
time-consuming for me.

I am also pretty sure that a similar agreement exists--with 3rd party
indemnification clause--for generating ROAs, and must be signed or
clicked-through for the ROA process to continue.

michael