<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
On 30 Jan 2017, at 3:42 AM, Job Snijders <<a href="mailto:job@ntt.net" class="">job@ntt.net</a>> wrote:<br class="">
<div>
<blockquote type="cite" class=""><br class="">
<div class="">
<div class="">What stands out to me is that (as example) the RIPE NCC RPKI Validator<br class="">
ships with materials from all the RIRs, except ARIN. The RPKI Validator<br class="">
is a commonly used software package to interact with the RPKI.<br class="">
<br class="">
<a href="https://github.com/RIPE-NCC/rpki-validator/tree/master/rpki-validator-app/conf/tal" class="">https://github.com/RIPE-NCC/rpki-validator/tree/master/rpki-validator-app/conf/tal</a><br class="">
(notice that LACNIC, AfriNIC, APNIC, RIPE NCC are all there)<br class="">
<br class="">
As such, the RPKI Validator (out of the box) is not complete. I<br class="">
attribute this to ARIN's RPA. This phenomenon puts a burden on every<br class="">
organisation wishing to use RPKI.<br class="">
<br class="">
I view this as a shortcoming of the ecosystem and detrimental to our<br class="">
efforts maintain a secure routing system.<br class="">
<br class="">
Of course any party can read the RPA and (if they agree) download the<br class="">
ARIN TAL and add it to their RPKI Validator installation, but I strongly<br class="">
prefer an ecosystem which out-of-the-box is operating in a secure mode.<br class="">
I'd argue that ARIN has an obligation to its members to make these<br class="">
materials unencumbered by legal constraints and freely available to<br class="">
anyone.<br class="">
</div>
</div>
</blockquote>
<div><br class="">
</div>
<div>Job - </div>
<div> </div>
<div> In order to better understand your request regarding the differences between</div>
<div> ARIN and the other RIR’s re how the TAL is made available, I need to inquire</div>
<div> about your assertion that ARIN should "make these materials unencumbered </div>
<div> by legal constraints and freely available to anyone”</div>
<div><br class="">
</div>
<div> Is it your belief that other RIRs presently make these materials available without</div>
<div> legal constraints? A quick review would show that is not the case; for example, </div>
<div> access RIPE’s RPKI CA repository data binds one to RIPE’s RPKI repository Terms </div>
<div> and Conditions <<a href="https://www.ripe.net/manage-ips-and-asns/resource-management/certification/legal/ripe-ncc-certification-repository-terms-and-conditions" class="">https://www.ripe.net/manage-ips-and-asns/resource-management/certification/legal/ripe-ncc-certification-repository-terms-and-conditions</a>></div>
<div><br class="">
</div>
<div> Is it the presence of legal constraints that it is the concern, or the fact that ARIN </div>
<div> requires explicit downloading (and thus awareness of this fact) that is the issue?</div>
<div><br class="">
</div>
<div> Note that wee did streamline access to the TAL recently (by making it a simple </div>
<div> download from the web rather than requiring explicitly agreement acceptance </div>
<div> and download via email link); in this manner, getting ARIN’s TAL should not</div>
<div> be much more difficult then obtaining the typical software library. </div>
<div><br class="">
</div>
<div>Thanks for any insight you can provide,</div>
<div>/John</div>
<div><br class="">
</div>
<div>John Curran</div>
<div>President and CEO</div>
<div>ARIN</div>
<div><br class="">
</div>
<div><br class="">
</div>
<div><br class="">
</div>
<div><br class="">
</div>
</div>
<br class="">
</body>
</html>