<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-CA" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">This makes sense to me.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">However, the recent changes ARE still a step in the right direction. And they may be enough to let me start using RPKI… that’s not 100% clear yet, a more in-depth review needs to happen.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">-Adam<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt;color:#44546A">Adam Thompson</span></b><span lang="EN-US" style="font-size:9.0pt;color:#44546A"><br>
Consultant, Infrastructure Services<br>
</span><a href="https://www.merlin.mb.ca/"><b><span lang="EN-US" style="font-size:9.0pt;color:#44546A;text-decoration:none"><img border="0" width="127" height="38" style="width:1.3229in;height:.3958in" id="Picture_x0020_1" src="cid:image001.png@01D58A70.EEBE5940" alt="[MERLIN LOGO]"></span></b></a><span lang="EN-US" style="font-size:9.0pt;color:#44546A"><br>
100 - 135 Innovation Drive<br>
Winnipeg, MB, R3T 6A8<br>
(204) 977-6824 or 1-800-430-6404 (MB only)<br>
<a href="mailto:athompson@merlin.mb.ca"><span style="color:#44546A">athompson@merlin.mb.ca</span></a><br>
<a href="http://www.merlin.mb.ca/"><span style="color:#44546A">www.merlin.mb.ca</span></a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span lang="EN-US"> ARIN-PPML <arin-ppml-bounces@arin.net>
<b>On Behalf Of </b>David Farmer<br>
<b>Sent:</b> Monday, October 21, 2019 2:35 PM<br>
<b>To:</b> John Curran <jcurran@arin.net><br>
<b>Cc:</b> arin-ppml <arin-ppml@arin.net><br>
<b>Subject:</b> Re: [arin-ppml] ARIN Announces New Relying Party Agreement (RPA) To Spur Use of RPKI<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">John,<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I am encouraged by these changes, however, I don't think they go far enough.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I've been thinking about these issues for a while now, particularly the issue of requiring a valid and binding Relying Party Agreement (RPA) on a global basis. In my opinion, this seems to run counter to at least the spirit of ICP-2. While
ICP-2 deals with the formation of new RIR's, it says, "each region should be served by a single RIR." This seems to strongly imply, that an LIR (ISPs) should only have to contract with or otherwise do business with the RIR(s) for which the LIR operates within
the service regions of the RIR(s).<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">Furthermore, if the other RIR's have similar requirements as ARIN for valid and binding RPAs on a global basis, whether through a formal contract as with ARIN or through terms expressed in the Certificate or Certificate Practice Statement
(CPS) this would mean I would need to convince the lawyers at the University of Minnesota that we needed binding contracts with each of the five RIRs. To be honest, I doubt this would be achievable, and ICP-2 seems to imply this should not be necessary as
we only operate our network within the ARIN service region. However, even though we only operate a network within the ARIN service region the University of Minnesota has assets around the globe, which makes the risks of contracting with the other RIRs difficult
to determine but probably quite sizable.<o:p></o:p></p>
<div>
<p class="MsoNormal"> <br>
Further, if it is truly necessary to have binding agreements with each of the RIR's or that all operators globally need to contract with ARIN in order to validate RPKI then I think we need to rethink RPKI or at least rethink how RPKI is currently deployed.
Maybe the RIRs need to contract with each other on behalf of their members and resign each other's certificates, so a binging RPA is only necessary with your home RIR, and you only need the TAL of your home RIR to validate ROA's on a global basis.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thank you.<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Mon, Oct 21, 2019 at 1:01 PM John Curran <<a href="mailto:jcurran@arin.net" target="_blank">jcurran@arin.net</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<p class="MsoNormal">FYI, <o:p></o:p></p>
<div>
<p class="MsoNormal">/John<o:p></o:p></p>
<div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">Begin forwarded message:<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><b><span style="font-family:"Helvetica",sans-serif;color:black">From:
</span></b><span style="font-family:"Helvetica",sans-serif">ARIN <<a href="mailto:info@arin.net" target="_blank">info@arin.net</a>></span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><b><span style="font-family:"Helvetica",sans-serif;color:black">Subject:
</span></b><b><span style="font-family:"Helvetica",sans-serif">[arin-announce] ARIN Announces New Relying Party Agreement (RPA) To Spur Use of RPKI</span></b><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><b><span style="font-family:"Helvetica",sans-serif;color:black">Date:
</span></b><span style="font-family:"Helvetica",sans-serif">21 October 2019 at 10:52:40 AM PDT</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><b><span style="font-family:"Helvetica",sans-serif;color:black">To:
</span></b><span style="font-family:"Helvetica",sans-serif"><<a href="mailto:arin-announce@arin.net" target="_blank">arin-announce@arin.net</a>></span><o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"><br>
Today, ARIN published a new Relying Party Agreement (RPA) for RPKI.<br>
<br>
Visit: <a href="https://www.arin.net/resources/manage/rpki/rpa.pdf" target="_blank">
https://www.arin.net/resources/manage/rpki/rpa.pdf</a><br>
<br>
Background: In response to feedback from the community, ARIN had<br>
previously updated its processes to allow organizations to directly<br>
download our Trust Anchor Locator (TAL) from our website, noting that by<br>
doing so they were agreeing to be bound by the RPA. This was intended to<br>
accommodate and overcome claimed barriers to RPKI adoption.<br>
<br>
Visit: <a href="https://www.arin.net/resources/manage/rpki/tal/" target="_blank">
https://www.arin.net/resources/manage/rpki/tal/</a><br>
<br>
Today’s new RPA includes modifications to address constructive<br>
suggestions that have been raised by members of the community both<br>
publicly and directly with ARIN. ARIN has included the following changes<br>
in the RPA:<br>
<br>
* The ability to make available the ARIN RPKI information to any<br>
third party for informational purposes (e.g. reporting, educational,<br>
research, summary or statistical purposes) has been expanded to allow<br>
for distribution in machine-readable formats; and<br>
<br>
* The RPA’s indemnification clause has been more narrowly scoped to<br>
exclude the indemnification of possible ARIN misconduct.<br>
<br>
ARIN has also now made a Redistributor RPA available for qualified<br>
organizations that wish to distribute RPKI-related data for purposes not<br>
covered in this standard RPA, including but not limited to distribution<br>
for real-time routing purposes. Interested organizations should contact<br>
ARIN via the information available on the Trust Anchor Locator page on<br>
our website.<br>
<br>
Visit: <a href="https://www.arin.net/resources/manage/rpki/rpa_redistributor.pdf" target="_blank">
https://www.arin.net/resources/manage/rpki/rpa_redistributor.pdf</a><br>
<br>
ARIN hopes that these additional changes to the RPA, alongside<br>
simplified access to the TAL, will encourage organizations’ adoption of<br>
RPKI to secure Internet routing.<br>
<br>
<br>
Regards,<br>
<br>
John Curran<br>
President and CEO<br>
American Registry for Internet Numbers (ARIN)<o:p></o:p></p>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<p class="MsoNormal">_______________________________________________<br>
ARIN-PPML<br>
You are receiving this message because you are subscribed to<br>
the ARIN Public Policy Mailing List (<a href="mailto:ARIN-PPML@arin.net" target="_blank">ARIN-PPML@arin.net</a>).<br>
Unsubscribe or manage your mailing list subscription at:<br>
<a href="https://lists.arin.net/mailman/listinfo/arin-ppml" target="_blank">https://lists.arin.net/mailman/listinfo/arin-ppml</a><br>
Please contact <a href="mailto:info@arin.net" target="_blank">info@arin.net</a> if you experience any issues.<o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"><br clear="all">
<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">-- <o:p></o:p></p>
<div>
<p class="MsoNormal">===============================================<br>
David Farmer <a href="mailto:Email%3Afarmer@umn.edu" target="_blank">
Email:farmer@umn.edu</a><br>
Networking & Telecommunication Services<br>
Office of Information Technology<br>
University of Minnesota <br>
2218 University Ave SE Phone: 612-626-0815<br>
Minneapolis, MN 55414-3029 Cell: 612-812-9952<br>
=============================================== <o:p></o:p></p>
</div>
</div>
</div>
</div>
</body>
</html>