[arin-discuss] Question about the ARIN Relying Party Agreement - RPKI 'everyone must sign' and such...

David Farmer farmer at umn.edu
Wed Dec 5 00:37:06 EST 2012 

On 12/4/12 22:21 , Michael Sinatra wrote:
> Michael is traveling now, but he will try to chime in...
>
> The issue that I have with the RPA is that it contains a 3rd party
> indemnification clause that appears to require that I indemnify and
> defend ARIN against any third-party claims.  As such, $my_employer will
> not allow me to sign such a thing.
>
> I can see why there may be a need for such indemnification; presumably
> it avoids the issues that came up in the early(?) days of the RBLs,
> where parties denied spamming "rights" through someone's email
> infrastructure would sue the RBL operator.
>
> OTOH, the indemnification clause does *appear* to also cover the case
> where ARIN is truly negligent in its operation of its RPKI
> infrastructure.  In such a case, I would have to assume the liability
> and defend ARIN from a *third-party* complaint, even if it were clearly
> ARIN's fault.
>
> Managing my own risks is one thing; managing ARIN's is another.
>
> But the practical issue is that I work for an employer that requires, at
> a minimum, extensive gyrations before I can even click-through such an
> agreement, which makes piloting RPKI (something I have promised members
> of the SIDR working group I would do) very difficult and much more
> time-consuming for me.
>
> I am also pretty sure that a similar agreement exists--with 3rd party
> indemnification clause--for generating ROAs, and must be signed or
> clicked-through for the ROA process to continue.

Michael,

I raised similar issues on an arin-tech-discuss thread back in October. 
  I was thinking that maybe there could be a version of the RPA that was 
in the form of an addendum to the RSA or LRSA that many organizations in 
region already have and used the indemnification language from those 
contracts rather than the new language in the separate agreement.  Do 
you think that is a strategy that could work for your situation? 
Honestly, I haven't done anything about it, as I haven't got around to 
doing anything about RPKI yet.

Mr. Curran seemed to think something like that could be possible.  He 
also discussed some of the advantages of a formal contract vs. an 
implied RPA.  I think he makes some good points especially for employers 
like ours.

http://lists.arin.net/pipermail/arin-tech-discuss/2012-October/000244.html

-- 
================================================
David Farmer               Email: farmer at umn.edu
Office of Information Technology
University of Minnesota
2218 University Ave SE     Phone: 1-612-626-0815
Minneapolis, MN 55414-3029  Cell: 1-612-812-9952
================================================

More information about the ARIN-discuss mailing list