<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
(BTW: yes, I was joking about moving ARIN to some [mythical] corrupt
3rd-world country. Mostly. I think.)<br>
<br>
Clearly there's intractable resistance to an explicit agreement from
larger members. Even the smallest of constituents (e.g. me) aren't
terribly happy with it, but I also know I'm small enough that
there's no point in a large company suing me.<br>
<br>
Equally, U.S. courts have already upheld click-wrap licenses, at
least in principle if not always in all the details.<br>
<br>
Somewhere in between is the implicit license, which legally seems to
be similar to but not identical to the click-wrap license.<br>
<br>
The WHOIS data comes with a license/T&C embedded, for example,
despite the fact it has very little operational impact.<br>
<br>
DNSSEC validation does not have any embedded license or T&C that
I've noticed, and seems at least as (probably more) prone to causing
"outages" as RPKI would.<br>
<br>
If RPKI switches to implicit licensing, you could put the link (like
WHOIS) in the rsync banner. I'm unsure if that would be sufficient.<br>
<br>
<br>
From the corporate standpoint:<br>
<br>
1. Explicit agreements are vetted by legal staff, whose focus is
typically on liability prevention and don't have a good technical
understanding. It then becomes an actively managed object in the
legal department. ("Actively" just means a file is created and kept
track of.) If litigation occurs, company officers are typically
involved and may be directly liable.<br>
<br>
2. Implicit agreements are agreed to every day by staff who
typically lack the authority to bind the corporation to the
agreed-to terms, but who typically have a good technical
understanding of whether the license/Ts&Cs should be accepted or
not. The company then has several avenues of self-defence if
litigation occurs - use the employee as a scapegoat, fire the
employee, claim that it wasn't binding to begin with, counter-sue,
etc. - and officers of the corporation are less likely to suffer
significant penalties.<br>
<br>
(IANAL - that's merely a layman's summary of what I've learned from
my lawyer, the former general counsel for a large telecom provider
here. My understanding, furthermore, is the fundamental principles
in this analysis are very similar between Canada and the US.)<br>
<br>
I know which one I prefer from a defensibility standpoint.<br>
<br>
-Adam<br>
<br>
<br>
<br>
<br>
<div class="gmail_quote">On December 4, 2014 5:10:53 PM CST, John
Curran <a class="moz-txt-link-rfc2396E" href="mailto:jcurran@arin.net"><jcurran@arin.net></a> wrote:
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex;
border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<pre class="k9mail">On Dec 4, 2014, at 5:07 PM, Adam Thompson <a class="moz-txt-link-rfc2396E" href="mailto:athompso@athompso.net"><athompso@athompso.net></a> wrote:
<blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #729fcf; padding-left: 1ex;">
If ARIN's legal counsel feels there is no way to avoid requiring *explicit* legal agreement prior to using RPKI data (as distinct from *publishing* RPKI data) then I would suggest that there is a clear community consensus just based on what I've heard here and at ARIN 34.
Unfortunately, the dialog between ARIN and its community boils down to "the business and legal climate in the United States is too hostile to permit easy and widespread use of RPKI data".
If ARIN can't find a way around that problem, perhaps they should consider reincorporating somewhere more conducive to business...
</blockquote>
Adam -
As noted already, having a click-accept RPA provides higher certainty when managing
litigation risk from those relying on RPKI data. Another option to simply state the terms
(e.g. indemnification) that apply to those using your CA, and then rely on implicit binding.
A third-option is to include the necessary language in an existing agreement (such as
the member or registry agreement) and not worrying about those who are just
accessing the data.
Each RIR is taking their own approach to this problem, and you’re unlikely to find a
jurisdiction where services can be offered with _no_ risk at all (note - if you do find such
a place, then it’s so "conducive to business” that your own service providers are likely
to have no obligations to you…)
We can switch to an implied agreement (as has been used in other regions); if that
does address the concern, it means that folks are more willing to be implicitly bound
by terms unseen than explicitly accepting an agreement with known terms.
/John
John Curran
President and CEO
ARIN
</pre>
</blockquote>
</div>
</body>
</html>