While I certainly agree with you, I have a certainly-naive question - what the difference is between ARIN and RIPE's T&C:
Aug 3 19:07:15 rpki-validator rpki-client[16164]: The RIPE NCC Certification Repository is subject to Terms and Conditions Aug 3 19:07:15 rpki-validator rpki-client[16164]: See http://www.ripe.net/lir-services/ncc/legal/certification/repository-tc As far as I understand, to use RIPE's RPKI repo I have to similarly agree with RIPE's legal contract as well, though they are somewhat less aggressive about making sure I check a box before using it. Matt On 8/3/20 10:54 AM, Job Snijders wrote: > On Mon, Aug 03, 2020 at 08:17:55AM -0500, John Kristoff wrote: >> On Sun, 2 Aug 2020 18:52:11 +0000 >> Randy Bush <ra...@psg.com> wrote: >> >>> not to mention the ARIN stupidity >> >> Notwithstanding the RPA, downloading ARIN's TAL is straightforward: >> >> As documented here: >> >> <https://www.arin.net/resources/manage/rpki/tal/> >> >> One can wget, curl, or whatever this: >> >> <https://www.arin.net/resources/manage/rpki/arin.tal> > > I dunno, 'straightforward' to me would mean the ARIN TA is installed by > default when you install a RPKI Cache Validator implementation, all > without requiring lawyers well-versed in both your native language AND > in the American legal system. > > I can do DNSSEC, RPKI ROV, Signify, Web PKIs like TLS - all without > kludges. Here is a video (10 min) where I show how you can bootstrap a > system from 0 to 100 without relying party agreements: > https://www.youtube.com/watch?v=oBwAQep7Q7o > > The highlight of the video is when I access ARIN's website over HTTPS, > after having resolved their webserver's IP address with a DNSSEC > validating recursor... to discover I need to get a lawyer to download a > .tal file which exists to protect *ARIN* members. Shouldn't ARIN members > demand that the process is as frictionless as possible? (both the new > and old RPA are the opposite of frictionless). > > ARIN members (the RPKI users) depend on network operators both inside > and outside the ARIN region to honor their ROAs. The internet is global. > The ARIN ROA's will not be honored if the ARIN .tal file is missing. The > ARIN .tal file is missing because it cannot be included in open source > software without making things very awkward. > > It is an insane situation. ARIN resource holders using ARIN's RPKI TA > are measurably *less* protected than their RIPE, APNIC, LACNIC and > AFRINIC counterparts. > > Get this: > > When you transfer your IP space away from ARIN, to *ANY* other RIR, > you'll derive *MORE* benefits from your RPKI ROA signing efforts. You > don't even need to renumber out of your space to improve your routing > security posture! > > I believe ARIN's policy to institute a significant legal barrier to RPKI > infrastructure negatively impacts ARIN's own members. > > Imagine having to sign a contract with DigiCert to obtain the public key > to be able to visit https://paypal.com. Ha-ha-ha-ha... folly. It would > be bad for business. > > Kind regards, > > Job >
