[arin-ppml] RPKI Relying Agreement

Adam Thompson athompso at athompso.net
Fri Dec 5 14:21:37 EST 2014 

(BTW: yes, I was joking about moving ARIN to some [mythical] corrupt 
3rd-world country.  Mostly.  I think.)

Clearly there's intractable resistance to an explicit agreement from 
larger members.  Even the smallest of constituents (e.g. me) aren't 
terribly happy with it, but I also know I'm small enough that there's no 
point in a large company suing me.

Equally, U.S. courts have already upheld click-wrap licenses, at least 
in principle if not always in all the details.

Somewhere in between is the implicit license, which legally seems to be 
similar to but not identical to the click-wrap license.

The WHOIS data comes with a license/T&C embedded, for example, despite 
the fact it has very little operational impact.

DNSSEC validation does not have any embedded license or T&C that I've 
noticed, and seems at least as (probably more) prone to causing 
"outages" as RPKI would.

If RPKI switches to implicit licensing, you could put the link (like 
WHOIS) in the rsync banner.  I'm unsure if that would be sufficient.


 From the corporate standpoint:

1. Explicit agreements are vetted by legal staff, whose focus is 
typically on liability prevention and don't have a good technical 
understanding.  It then becomes an actively managed object in the legal 
department.  ("Actively" just means a file is created and kept track 
of.)  If litigation occurs, company officers are typically involved and 
may be directly liable.

2. Implicit agreements are agreed to every day by staff who typically 
lack the authority to bind the corporation to the agreed-to terms, but 
who typically have a good technical understanding of whether the 
license/Ts&Cs should be accepted or not.  The company then has several 
avenues of self-defence if litigation occurs - use the employee as a 
scapegoat, fire the employee, claim that it wasn't binding to begin 
with, counter-sue, etc. - and officers of the corporation are less 
likely to suffer significant penalties.

(IANAL - that's merely a layman's summary of what I've learned from my 
lawyer, the former general counsel for a large telecom provider here.  
My understanding, furthermore, is the fundamental principles in this 
analysis are very similar between Canada and the US.)

I know which one I prefer from a defensibility standpoint.

-Adam




On December 4, 2014 5:10:53 PM CST, John Curran <jcurran at arin.net> wrote:

    On Dec 4, 2014, at 5:07 PM, Adam Thompson <athompso at athompso.net> wrote:

        If ARIN's legal counsel feels there is no way to avoid requiring
        *explicit* legal agreement prior to using RPKI data (as distinct
        from *publishing* RPKI data) then I would suggest that there is
        a clear community consensus just based on what I've heard here
        and at ARIN 34. Unfortunately, the dialog between ARIN and its
        community boils down to "the business and legal climate in the
        United States is too hostile to permit easy and widespread use
        of RPKI data". If ARIN can't find a way around that problem,
        perhaps they should consider reincorporating somewhere more
        conducive to business... 


    Adam -
      
       As noted already, having a click-accept RPA provides higher certainty when managing
       litigation risk from those relying on RPKI data.  Another option to simply state the terms
       (e.g. indemnification) that apply to those using your CA, and then rely on implicit binding.
       A third-option is to include the necessary language in an existing agreement (such as
       the member or registry agreement) and not worrying about those who are just
       accessing the data.

       Each RIR is taking their own approach to this problem, and you’re unlikely to find a
       jurisdiction where services can be offered with _no_ risk at all (note - if you do find such
       a place, then it’s so "conducive to business” that your own service providers are likely
       to have no obligations to you…)

       We can switch to an implied agreement (as has been used in other regions); if that
       does address the concern, it means that folks are more willing to be implicitly bound
       by terms unseen than explicitly accepting an agreement with known terms.

    /John

    John Curran
    President and CEO
    ARIN

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20141205/a66a3d8f/attachment.htm>

More information about the ARIN-PPML mailing list