> On Sep 26, 2018, at 3:13 AM, John Curran <jcur...@arin.net> wrote:
>
> On 26 Sep 2018, at 2:09 AM, Christopher Morrow <morrowc.li...@gmail.com>
> wrote:
>>
>> (I'm going to regret posting this later, but...)
>>
>> On Tue, Sep 25, 2018 at 10:57 PM John Curran <jcur...@arin.net> wrote:
>>
>> The significant difference for ARIN is that we operate under a different
>> legal regime, and as a matter of US law, it appears that we cannot rely only
>> upon terms and conditions published in our website as evidence of informed
>> agreement; i.e. within the US legal framework, we need a specific act of
>> acceptance in order to have a binding agreement.
>>
>> how is arin's problem here different from that which 'lets encrypt' is
>> facing with their Cert things?
>
> Chris -
>
> The “Let’s encrypt” subscriber agreement (current version 1.2, 15 Nov 2018)
> includes "indemnify and hold harmless” clause, and parties affirmatively
> agree to those terms by requesting that ISRG issue a "Let’s Encrypt”
> Certificate to you.
>
> (I don’t know whether that process is particularly more or less onerous
> technically than the effort to download the ARIN TAL.)
The process for lets encrypt is fairly straightforward, it collects some
minimal information (eg: e-mail address, domain name) and then does all the
voodoo necessary. If ARIN were to make this request of the developers of RPKI
software, it would seem reasonable to have that passed to ARIN via some API
saying “b...@example.com” typed “Agree” to the ARIN TAL as part of the initial
installation of the software.
For me, this is about the friction involved in making it work and while the
click-through page may not seem like a barrier, there are active measurements
that demonstrate it is. It may take time to communicate to the existing set of
operators running RPKI validators they are missing the ARIN TAL, but I would
like to ensure that new deployments don’t make this same mistake.
I think this thread/communication is part of that. “Don’t forget about the
extra step for ARIN”. It’s also “ARIN, please help make it easier to use your
service”.
With Google Maps, etc.. I may have to create an API key, it comes in
multi-lingual systems in non-roman alphabet support, etc. Being part of this
global ecosystem and running an RIR comes with some extra effort compared to
running a corner mom & pop shop. Our actions and decisions have global
consequences to the safety and security of how your and my traffic is routed.
Please work with the developers for a suitable method to include the ARIN TAL
by default. Come up with the click-accept legalese necessary.
Since you asked, here’s what they did with the CertBot that’s commonly used by
Lets Encrypt:
(The first time you run the command, it will make an account, and ask for
an email and agreement to the Let’s Encrypt Subscriber Agreement; you can
automate those with --email and --agree-tos)
If you want to use a webserver that doesn’t have full plugin support yet,
you can still use “standalone” or “webroot” plugins to obtain a certificate:
./certbot-auto certonly --standalone --email ad...@example.com -d
example.com -d www.example.com -d other.example.net
If you/ARIN could work closer with the developers of RPKI software to help make
this happen that would be great. If you need introductions, I’m happy to help
make them.
- Jared
