[arin-discuss] Question about the ARIN Relying Party Agreement - RPKI 'everyone must sign' and such...

[John Curran]

On Dec 4, 2012, at 11:21 PM, Michael Sinatra <michael+ppml at burnttofu.net>
 wrote:

> Michael is traveling now, but he will try to chime in...
> 
> The issue that I have with the RPA is that it contains a 3rd party
> indemnification clause that appears to require that I indemnify and
> defend ARIN against any third-party claims.  As such, $my_employer will
> not allow me to sign such a thing.
> 
> I can see why there may be a need for such indemnification; presumably
> it avoids the issues that came up in the early(?) days of the RBLs,
> where parties denied spamming "rights" through someone's email
> infrastructure would sue the RBL operator.

Or if someone makes a typo in their use of RPKI services, 
and then is sued by a relying party (e.g. a now failing 
financial institution or telesurgery firm) and decides 
that it is easiest to simply say ARIN's systems failed.

We take some very serious precautions in establishing the
RPKI services, including dedicated HSMs, non-repudiation
mechanisms, multiple party controls, and a threat model 
that includes some fairly byzantine cases.  At the end of
the day, however, parties must actually consider the fact
that relying on RPKI could create some additional failure
modes, particularly if best practices are used in how 
route evaluation is performed.

> OTOH, the indemnification clause does *appear* to also cover the case
> where ARIN is truly negligent in its operation of its RPKI
> infrastructure.  In such a case, I would have to assume the liability
> and defend ARIN from a *third-party* complaint, even if it were clearly
> ARIN's fault.
> 
> Managing my own risks is one thing; managing ARIN's is another.

If ARIN were clearly at fault (e.g. gross negligence or malfeasance
on ARIN's part), then applicable of indemnification clause is a legal
question which is best answered by your counsel.  

> But the practical issue is that I work for an employer that requires, at
> a minimum, extensive gyrations before I can even click-through such an
> agreement, which makes piloting RPKI (something I have promised members
> of the SIDR working group I would do) very difficult and much more
> time-consuming for me.

Your organization has certain expectations about the risks they take 
on, and relying on ARIN's CA data in a programmatic way could easily 
increase those risks due to new failure modes.  ARIN has made those 
risks fairly explicit in the RPA and associated CPS, and is willing 
to provide the service but cannot possible know what dependence you
or your business partners will be making on its services.  As such,
we have to be clear that the risks associated with relying on this 
data are fully borne by the relying party.

Thanks!
/John

John Curran
President and CEO
ARIN