[arin-tech-discuss] [arin-announce] Resource Public Key Infrastructure (RPKI) Now Available to ARIN Customers
jcurran at arin.net
Tue Oct 16 05:26:24 EDT 2012
On Oct 15, 2012, at 10:19 PM, David Farmer <farmer at umn.edu> wrote:
> I recognize ARIN's need for terms and conditions with this, especially for entities that don't have any other relationship with ARIN other than using the TAL to validate RPKI data. However, I am also sympathetic to Jay's request too.
> I'm generally not allowed to agree to terms and conditions on behalf of my employer, I'm sure this is common. I'm sure ARIN has this issue when dealing with its providers too. So, this separate agreement represents an extra barrier to implementing RPKI validation for my and in expect many other organizations too.
> Maybe a middle ground solution could be to package or optionally integrated this and other service specific terms and conditions with or into the RSA or LRSA, so that they can be reviewed and agreed to all at once by an organization if they so desire. This is a common tactic my organization likes to use. However, it has to be balanced against including terms and conditions for service we will never use either.
> In particular this agreement has separate clauses for Indemnification and Governing Law, Jurisdiction, Etc... differing from those in the RSA and LRSA. If we could just add these service specific clauses into the RSA and/or LRSA it might be easier in many situations. Another possible solution could be a version of the agreement that is an addendum to the RSA or LRSA, only including the service specific clauses and using the general terms and conditions from the RSA or LRSA already in place.
If you'd like a Relying Party Agreement in the form of an addendum
to the existing registration service agreements, I believe that is
possible. Note that we did not take that approach since some relying
parties will not have a registration service agreement with ARIN.
> One way or another, I think I'll be able to make something work with ARIN, we already have an RSA and LRSA. But, thinking about this more generally, will we need to do a separate similar agreements with each of the other RIRs too? I know you can't speak for the other RIRs, but if you generalize this, it becomes a really ugly issue fast. Wasn't the RIR system created to help deal with these kinds of issues? The idea of everyone having to execute agreements with all 5 RIRs just to validate the trust seems wrong, and a legal nightmare. I know my legal counsel will not like the idea of doing 4 other agreement, especially from around the world.
In general, you're going to be subject to the certificate practice
statement and relying party agreements of all RPKI parties, the only
question is whether or not you're made plainly aware of these terms
up-front or not before being bound to them. ARIN requires explicit
binding and hence makes it very clear that there are terms that apply,
but your use of RPKI information is still subject (in theory) to other
parties terms and conditions even if you've never actually reviewed
them. If you make use of such information in your official capacity in
an organization, you easily may be agreeing to terms and conditions on
behalf of your employer (whether you intended to do so or not...)
Rather than relying on questionable implied agreements to such terms
and conditions, we have made it quite explicit so that parties can
make thoughtful determination as to their use of RPKI services as a
President and CEO
More information about the arin-tech-discuss