<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
On 1 Feb 2017, at 4:01 AM, Job Snijders <<a href="mailto:job@ntt.net" class="">job@ntt.net</a>> wrote:
<div>
<blockquote type="cite" class="">
<div class="">
<blockquote type="cite" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" class="">
I am certain that an appropriate (and equally short) wget command<br class="">
could suffice technically for installing ARIN’s TAL, but including<br class="">
such in a script (or including the TAL directly in the source code<br class="">
repository) would deprive parties of the ability to fully consider and<br class="">
accept the responsibilities involved. <br class="">
</blockquote>
<br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
<span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">Correct.
Thank you for this summary. Your summary narrows it down to</span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
<span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">exactly
the point of friction.</span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
<br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
<span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">Questions
that come to mind: are the responsibilities as outlined by the</span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
<span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">RPA
proportional to the goals the RPA is intended to achieve? Should any</span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
<span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">responsibilities
be associated with the distribution of cryptographic</span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
<span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">public
keys? To me DNSSEC seems an apt comparison.</span></div>
</blockquote>
<br class="">
</div>
<div>Job - </div>
<div><br class="">
</div>
<div>The typical relying parties “usage” of certificates in DNSSEC is heavily proscribed by </div>
<div>both protocol and implementation, and occurs with only nominal configuration choices on </div>
<div>behalf of the relying party. Both the maturity of DNSSEC and deployment model greatly </div>
<div>minimize the potential for misconfiguration on behalf of a relying party, with the result being</div>
<div>that misconfiguration by zone administrators is a much more common occurrence and one</div>
<div>whose impact is limited to but their own domain (reference RFC 7646 for more detail on </div>
<div>same and thus the desire for locally administered negative trust anchors to address </div>
<div>such circumstances...) Even when a DNSSEC validation error occurs, there remains the</div>
<div>potential for self-help on behalf of end users (via the option to switch to a non-validating </div>
<div>resolver.)</div>
<div>Contrast this to RPKI, wherein the introduction of origin validation into an ISP’s routing </div>
<div>architecture has many operational considerations, and inherently includes the potential to </div>
<div>readily impact the ISP's primary business under anything less than carefully planned and </div>
<div>executed BGP origin validation deployment efforts. While I’m am certain that everyone </div>
<div>deploying RKPI has BCP 185 memorized, the scope of any such impacts (and lack of viable </div>
<div>workarounds by the impacted customers) inherently means the potential for business impact</div>
<div>is greater than exists with deployment of DNSEC validation by ISPs – i.e. while I do believe</div>
<div>that your comparison to DNSSEC is directionally correct, it fails overall due to the very real</div>
<div>and significant difference in the magnitude of potential business impact to the relying party.</div>
<div><br class="">
</div>
<div>/John</div>
<div><br class="">
</div>
<div>John Curran</div>
<div>President and CEO</div>
<div>ARIN</div>
<div><br class="">
</div>
<div><br class="">
</div>
<div><br class="">
</div>
<div><br class="">
</div>
<div><br class="">
</div>
</body>
</html>