As the coauthors of the 2019 NSF-supported report that contributed to the current momentum toward overcoming the barriers RPKI adoption, a prior posting asked for our assessment of the changes. Our apologies that we won't be able to join you at this NANOG. We hope to put together some type of program in Atlanta in February.
We would say that intent of ARIN's Sept. 26 and 29 updates ((link<https://www.arin.net/announcements/2022/documents/rpa_092622_redline.pdf> and link<https://www.arin.net/announcements/2022/documents/rpa_092922_redline.pdf>) to the RPA-to permit distribution of the TAL without signing the RPA-represent positive steps to address the most significant concern that we raised. In particular, the language in Section 5 added by the Sept. 29 update explicitly stating, "Notwithstanding the foregoing, You are specifically allowed to publicly distribute the ARIN TAL, including by embedding the ARIN TAL in relying party software," appears to authorize including ARIN's TAL in all distributions of validator software, and RPKI adopters would no longer need to download ARIN's TAL from its website. If effective, this is would remove the single most important legal obstacle to broader use of RPKI. The continuing wrinkle is that Section 5 authorizes distribution of ORCP services (including the ARIN TAL) only as permitted by the ORCP service terms. Section 9 requires third parties receiving this information either to have agreed to the RPA or to have entered into an agreement with the distributing party that includes the key terms of the RPA. That would suggest that anyone distributing validator software with ARIN's TAL must ensure that the recipient has agreed to the RPA in order to avoid violating the ORCP service terms. Although open source typically relies on licenses that are good against all users regardless of knowledge or assent (because they sound in property instead of contract), assent to the terms of the RPA could be incorporated into the distribution process, perhaps in the same manner used for other certificate authorities, which typically have terms of use. Another comment on this thread asked if ARIN has now addressed the other issues raised by our report. It is our assessment that ARIN has adequately addressed three of our other concerns, has announced its intention to address two others, and partially addressed one. The three issues that ARIN has adequately addressed include: * Dropping provision of the RSA requiring legacy address holders to acknowledge ARIN's property rights in IP addresses: dropped in update to LRSA dated Sept. 12, 2022 (link<https://www.arin.net/about/corporate/agreements/rsav13_changes.pdf>). * Drop provision of RPA prohibiting sharing of RPKI-derived data in a machine-readable format: authorized for informational purposes by update to RPA dated Oct. 21, 2019 (link<https://www.arin.net/vault/announcements/2019/20191021.html>); authorized for routing purposes by update to RPA dated Sept. 26, 2022 (link<https://www.arin.net/announcements/2022/documents/rpa_092622_redline.pdf>). * Better dissemination of best practices to the community: addressed by expansion of RPKI training at FISPA, WISPA, CaribNOG, and NANOG. ARIN has its intention to address two of our other concerns in the near future: * Better disclosure to government agencies of ARIN's willingness to waive insemination and choice of law clauses when barred by law: likely to be addressed by ARIN's announced plans to create webpage specifically for governments. * Better disclosure of operational practices, such as uptime, update frequency, and response expectations: likely to be addressed further by planned update to certificate practices statement. It partially addressed one concern that we raised. * Dropping blanket indemnification clause in favor of disclaimer of warranties and liability: revised RPA to exclude indemnification for ARIN's gross negligence by update to RPA dated Oct. 21, 2019 (link<https://www.arin.net/vault/announcements/2019/20191021.html>). We hope these comments are helpful and look forward to continuing to work with the community on removing the remaining legal barriers to RPKI adoption. Christopher Yoo (on behalf of myself and David Wishnick)
