[arin-ppml] Revisit RPKI TAL Relying Party Agreement?

Fri Feb 3 11:02:25 EST 2017

On 3 Feb 2017, at 8:15 AM, LOOS Eric (BCS/CBU) <eric.loos at bics.com<mailto:eric.loos at bics.com>> wrote:

IANAL, but I have worked enough with our legal department to see some red flags in the RPA:
-          Possibility for on-sided modifications of the T&C with automatic acceptance thereof
-          Complete indemnification of ARIN et al.

So I definitely sympathize with the point that the RPA as worded there is probably unacceptable for many carriers (us included)
I also agree that it is a moot point whether this is a click through before a download is possible or fine print of the website which is presumable accepted once the service is accessed; it is in fact indeed commendable that ARIN does not try to let companies agree to such far reaching legal language without at least raising the flag.

Eric -

ARIN does indeed call out the entry into a RPKI legal agreement, and this is an
agreement that includes indemnification (whereas other RIRs rely upon implicit
binding via use to similar provisions in their overall registry agreements.)

Therefore the points made by Wes during his nanog talk regarding the modification of the RPA are pertinent here.

After Wes’ presentation, access to ARIN’s TAL was changed to no longer require
explicit acceptance (via entry of email address and access via emailed link) and
instead allow direct download, but it remains unclear whether implicit agreement
via having the TAL bundled with other software would suffice for the same purposes
(at least in the US.)

I wonder why the trustees have chosen to take such a defensive approach on information contained in the RKPI, after all we have had RBL lists in the past for blocking mail, we pretty much all uses RIR routing registries for building our filters, many people rely on PeeringDB for keeping their peering records up to date and I have not encountered such defensive position before.

It is true that the ARIN RPA contains an indemnification clause, but as I pointed out to
Wes, it is remarkably similar to the indemnification clauses that are contained in many
carriers' Internet service contracts.  Providing and purchasing Internet services under
such indemnification provisions does tend to belie claims that those same provisions for
RPKI are burdensome, and further those provisions serve an important role in making
sure that ARIN’s overall registry services (used by many thousands of organizations)
cannot be impacted by any adverse outcome resulting from less-than-diligent RPKI usage.

Especially RPKI requires a wide acceptance to be able to do anything useful.
What would be the process for the trustees to review this matter and share their insights on this matter?

The ARIN Board of Trustees has spent a very significant amount of time in recent
years on RPKI services, including their availability, terms of service and related risks –
this has resulted in continuous improvement to both the agreements and methods of
access to the TAL as noted above.

The Trustees are all on this mailing list, and I will (as previously noted) bring this
topic to them at their next meeting for further review.  I also note that the ARIN
Board of Trustees holds a public session at each ARIN meeting and is available
to address questions such as these if a more interactive format is preferred.

Thanks!
/John

John Curran
President and CEO
ARIN

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20170203/910278bf/attachment.htm>