[arin-tech-discuss] [arin-announce] Resource Public Key Infrastructure (RPKI) Now Available to ARIN Customers

[John Curran]

On Oct 15, 2012, at 10:19 PM, David Farmer <farmer at umn.edu> wrote:
> John,
> 
> I recognize ARIN's need for terms and conditions with this, especially for entities that don't have any other relationship with ARIN other than using the TAL to validate RPKI data.  However, I am also sympathetic to Jay's request too.
> 
> I'm generally not allowed to agree to terms and conditions on behalf of my employer, I'm sure this is common.  I'm sure ARIN has this issue when dealing with its providers too.  So, this separate agreement represents an extra barrier to implementing RPKI validation for my and in expect many other organizations too.
> 
> Maybe a middle ground solution could be to package or optionally integrated this and other service specific terms and conditions with or into the RSA or LRSA, so that they can be reviewed and agreed to all at once by an organization if they so desire.  This is a common tactic my organization likes to use.  However, it has to be balanced against including terms and conditions for service we will never use either.
> 
> In particular this agreement has separate clauses for Indemnification and Governing Law, Jurisdiction, Etc... differing from those in the RSA and LRSA.  If we could just add these service specific clauses into the RSA and/or LRSA it might be easier in many situations.  Another possible solution could be a version of the agreement that is an addendum to the RSA or LRSA, only including the service specific clauses and using the general terms and conditions from the RSA or LRSA already in place.

 David - 
 
 If you'd like a Relying Party Agreement in the form of an addendum 
 to the existing registration service agreements, I believe that is
 possible.  Note that we did not take that approach since some relying
 parties will not have a registration service agreement with ARIN.

> One way or another, I think I'll be able to make something work with ARIN, we already have an RSA and LRSA.  But, thinking about this more generally, will we need to do a separate similar agreements with each of the other RIRs too?  I know you can't speak for the other RIRs, but if you generalize this, it becomes a really ugly issue fast.  Wasn't the RIR system created to help deal with these kinds of issues?  The idea of everyone having to execute agreements with all 5 RIRs just to validate the trust seems wrong, and a legal nightmare.  I know my legal counsel will not like the idea of doing 4 other agreement, especially from around the world.

 In general, you're going to be subject to the certificate practice 
 statement and relying party agreements of all RPKI parties, the only
 question is whether or not you're made plainly aware of these terms
 up-front or not before being bound to them.  ARIN requires explicit 
 binding and hence makes it very clear that there are terms that apply,
 but your use of RPKI information is still subject (in theory) to other 
 parties terms and conditions even if you've never actually reviewed 
 them.  If you make use of such information in your official capacity in 
 an organization, you easily may be agreeing to terms and conditions on 
 behalf of your employer (whether you intended to do so or not...)  
 
 Rather than relying on questionable implied agreements to such terms
 and conditions, we have made it quite explicit so that parties can 
 make thoughtful determination as to their use of RPKI services as a 
 relying party.

FYI,
/John

John Curran
President and CEO
ARIN