[arin-discuss] Question about the ARIN Relying Party Agreement - RPKI 'everyone must sign' and such...

Christopher Morrow morrowc.lists at gmail.com
Wed Dec 5 01:22:24 EST 2012 

On Tue, Dec 4, 2012 at 11:21 PM, Michael Sinatra
<michael+ppml at burnttofu.net> wrote:
> Michael is traveling now, but he will try to chime in...

hey thanks! :)

> The issue that I have with the RPA is that it contains a 3rd party
> indemnification clause that appears to require that I indemnify and
> defend ARIN against any third-party claims.  As such, $my_employer will
> not allow me to sign such a thing.

yuck :( that's probably not good for the community... What's confusing
to me is that I think the certificate profile for ARIN, in the case of
the RPKI, includes statements about what the certificates could be
used/depended upon in the CPS, isn't that what the RPA is trying to
do?

<https://www.arin.net/resources/rpki/faq.html#cps> - talks about the
cps, and alludes to legal-beagle-ness

the cps is: <https://www.arin.net/resources/rpki/cps.pdf>
it seems the meat we are interested in is on pages 34-35 though:
8.7. Disclaimers of warranties.
.....................................................................
34
8.8. Exclusion of Liabilities and
Damages.................................................. 35
8.9. Limitations of liability.
................................................................ 35
8.10. Indemnification.
............................................................. 35

for instance:
8.8. Exclusion of Liabilities and Damages.
NOTWITHSTANDING ANYTHING TO THE CONTRARY, ARIN WILL NOT BE LIABLE TO ANY
USER, SUBSCRIBER, RELYING PARTY OR THIRD PARTY, INCLUDING ANY CLIENTS OR
CUSTOMERS OF ANY USER,SUBSCRIBER, RELYING PARTY OR THIRD PARTY, FOR ANY
LIABILITIES AT LAW OR IN EQUITY OR FOR ANY DAMAGES, INCLUDING
CONSEQUENTIAL, INCIDENTAL,INDIRECT, PUNITIVE, EXEMPLARY, OR SPECIAL
DAMAGES (INCLUDINGLIABILITIES OR DAMAGES RELATING TO LOST PROFITS, LOST
DATA, OR LOSS OFGOODWILL) ARISING OUT OF, RELATING TO, OR CONNECTED WITH
ANY RESOURCE CERTIFICATION SERVICES, ANY RESOURCE CERTIFICATION, OR
OTHERWISE INCONNECTION THEREWITH, WHETHER BASED ON CONTRACT, TORT,
STATUTE, OR ANYCAUSE OF ACTION, EVEN IF ANY USER, SUBSCRIBER, RELYING
PARTY OR THIRD PARTY IS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
8.9. Limitations of liability.
IN NO EVENT, WHETHER BASED ON CONTRACT,TORT, STATUTE, OR ANY CAUSE OF
ACTION, WILL ARIN’S LIABILITY TO ANYUSER, SUBSCRIBER, RELYING PARTY OR THIRD
PARTY, INCLUDING ANY CLIENTS OR CUSTOMERS OF ANY USER, SUBSCRIBER,
RELYING PARTY OR THIRD PARTY, EXCEED IN THE AGGREGATE THE GREATER OF (i)
THE AMOUNT PAID BYSUBSCRIBER TO ARIN FOR THE RESOURCE CERTIFICATION
SERVICES DURING THE SIX (6) MONTHS IMMEDIATELY PRECEDING THE EVENT THAT
GIVES RISE TO SUCHLIABILITY OR (ii) ONE HUNDRED U.S. DOLLARS (US$100.00).

If you use the CA and such, you agree to the cps, ideally... :)

> I can see why there may be a need for such indemnification; presumably
> it avoids the issues that came up in the early(?) days of the RBLs,
> where parties denied spamming "rights" through someone's email
> infrastructure would sue the RBL operator.
>

maybe, doesn't the cps cover all of that? (see inclusions above).

> OTOH, the indemnification clause does *appear* to also cover the case
> where ARIN is truly negligent in its operation of its RPKI
> infrastructure.  In such a case, I would have to assume the liability
> and defend ARIN from a *third-party* complaint, even if it were clearly
> ARIN's fault.

except that the quoted bit above from the CPS seems to also do the
liability shedding... so I'm not sure why another version of the text
is required?

> Managing my own risks is one thing; managing ARIN's is another.

it does seem a bit crazy, yes.

> But the practical issue is that I work for an employer that requires, at
> a minimum, extensive gyrations before I can even click-through such an
> agreement, which makes piloting RPKI (something I have promised members
> of the SIDR working group I would do) very difficult and much more
> time-consuming for me.
>
> I am also pretty sure that a similar agreement exists--with 3rd party
> indemnification clause--for generating ROAs, and must be signed or
> clicked-through for the ROA process to continue.

:(

More information about the ARIN-discuss mailing list