[arin-discuss] Question about the ARIN Relying Party Agreement - RPKI 'everyone must sign' and such...

Michael Sinatra michael+ppml at burnttofu.net
Thu Dec 6 20:49:05 EST 2012 

On 12/05/12 11:36, John Curran wrote:

> Contrast this with RPKI, where ARIN's CA may be depended upon by many
> parties which otherwise have no relationship with ARIN, i.e. the business
> partner who is harmed by RPKI usage by either their own failure or by
> an upstream ISP not following best practices could easily be validating
> routes via information obtained from ARIN's CA. If the business entered 
> the wrong AS in a ROA (but denies it after the fact), ARIN could face 
> significant legal action just proving that we performed correctly. Hence, 
> there is a real need for both system capabilities (in areas such as non-
> repudiation) as well as appropriate legal protections.

But why does the ISP, which is following best practices, have to
indemnify ARIN?  Why should that ISP get sued instead of ARIN,
especially when ARIN ought to have the evidence to defend itself, as
Chris notes?

and:

> Agreed.  I am not at all worried about our performance or any fault on ARIN's part,
> but that will not deter a multiyear litigation over proving exactly that fact.  This is
> why an indemnification is rather important, because it reduces the potential for
> such litigation upfront, and hence why it is a standard component of many types
> of service contracts including ISP and certificate providers.

So, this is where my lack of legal experience is telling.  How will my
indemnifying ARIN reduce the potential for such litigation upfront?  It
seems that it will reduce the proposal of ARIN being sued up front, but
will increase the potential of me being sued.  Or will the would be
litigators say "Mike Sinatra doesn't have any money, but ARIN does, so
let's sue them.  Oh!  But Mike Sinatra indemnified them so we have to
sue him.  But he doesn't have any money so it's not worth it.  Curses!"?

More seriously (and practically), having to indemnify ARIN is a huge
obstacle to even testing RPKI, as the only way to generate a ROA and get
the TAL is to indemnify ARIN.

I now see David Farmer's response in arin-tech-discuss (sorry I missed
it--October was kinda busy), and I think a useful compromise is to try
to place an addendum to any pre-existing (L)RSAs.  But if the addendum
includes third-party indemnification, it's going to be an obstacle, if
not a show-stopper.

michael

More information about the ARIN-discuss mailing list