[arin-ppml] RPKI Relying Agreement
Adam Thompson
athompso at athompso.net
Fri Dec 5 14:21:37 EST 2014
(BTW: yes, I was joking about moving ARIN to some [mythical] corrupt
3rd-world country. Mostly. I think.)
Clearly there's intractable resistance to an explicit agreement from
larger members. Even the smallest of constituents (e.g. me) aren't
terribly happy with it, but I also know I'm small enough that there's no
point in a large company suing me.
Equally, U.S. courts have already upheld click-wrap licenses, at least
in principle if not always in all the details.
Somewhere in between is the implicit license, which legally seems to be
similar to but not identical to the click-wrap license.
The WHOIS data comes with a license/T&C embedded, for example, despite
the fact it has very little operational impact.
DNSSEC validation does not have any embedded license or T&C that I've
noticed, and seems at least as (probably more) prone to causing
"outages" as RPKI would.
If RPKI switches to implicit licensing, you could put the link (like
WHOIS) in the rsync banner. I'm unsure if that would be sufficient.
From the corporate standpoint:
1. Explicit agreements are vetted by legal staff, whose focus is
typically on liability prevention and don't have a good technical
understanding. It then becomes an actively managed object in the legal
department. ("Actively" just means a file is created and kept track
of.) If litigation occurs, company officers are typically involved and
may be directly liable.
2. Implicit agreements are agreed to every day by staff who typically
lack the authority to bind the corporation to the agreed-to terms, but
who typically have a good technical understanding of whether the
license/Ts&Cs should be accepted or not. The company then has several
avenues of self-defence if litigation occurs - use the employee as a
scapegoat, fire the employee, claim that it wasn't binding to begin
with, counter-sue, etc. - and officers of the corporation are less
likely to suffer significant penalties.
(IANAL - that's merely a layman's summary of what I've learned from my
lawyer, the former general counsel for a large telecom provider here.
My understanding, furthermore, is the fundamental principles in this
analysis are very similar between Canada and the US.)
I know which one I prefer from a defensibility standpoint.
-Adam
On December 4, 2014 5:10:53 PM CST, John Curran <jcurran at arin.net> wrote:
On Dec 4, 2014, at 5:07 PM, Adam Thompson <athompso at athompso.net> wrote:
If ARIN's legal counsel feels there is no way to avoid requiring
*explicit* legal agreement prior to using RPKI data (as distinct
from *publishing* RPKI data) then I would suggest that there is
a clear community consensus just based on what I've heard here
and at ARIN 34. Unfortunately, the dialog between ARIN and its
community boils down to "the business and legal climate in the
United States is too hostile to permit easy and widespread use
of RPKI data". If ARIN can't find a way around that problem,
perhaps they should consider reincorporating somewhere more
conducive to business...
Adam -
As noted already, having a click-accept RPA provides higher certainty when managing
litigation risk from those relying on RPKI data. Another option to simply state the terms
(e.g. indemnification) that apply to those using your CA, and then rely on implicit binding.
A third-option is to include the necessary language in an existing agreement (such as
the member or registry agreement) and not worrying about those who are just
accessing the data.
Each RIR is taking their own approach to this problem, and you’re unlikely to find a
jurisdiction where services can be offered with _no_ risk at all (note - if you do find such
a place, then it’s so "conducive to business” that your own service providers are likely
to have no obligations to you…)
We can switch to an implied agreement (as has been used in other regions); if that
does address the concern, it means that folks are more willing to be implicitly bound
by terms unseen than explicitly accepting an agreement with known terms.
/John
John Curran
President and CEO
ARIN
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20141205/a66a3d8f/attachment.htm>
More information about the ARIN-PPML
mailing list