ARIN's RPKI Relying agreement

Thu Dec 4 16:35:01 UTC 2014

On Thu, Dec 4, 2014 at 11:22 AM, William Herrin <bill at herrin.us> wrote:
> On Thu, Dec 4, 2014 at 10:51 AM, Bill Woodcock <woody at pch.net> wrote:
>> All the specific legal feedback I’ve heard is that this is a liability
> nightmare,
>> and that everyone wants ARIN to take on all the liability, but nobody
>> wants to pay for it.  Are you hearing something more useful than that?

<snip>

> No, nothing more useful. I've seen a lot of hand waving, but I still have
> no clue how the publication of RPKI data places ARIN at a different risk
> than publication of whois data. I think if we could better understand that,

(oops, I assumed that the decision to have the rpa implemented in the
way it is is due to 'arin counsel')

Maybe it would be helpful for the ARIN Counsel to document in a more
public way (than the RPA) what the concerns are and how that
translates into 'different risk than the publication of whois data' ?

> we'd be better able assess what the next steps are. Do we beat down ARIN's
> door and insist they publish the data? Do we pursue the creation of some
> new organization to manage RPKI, one with intentionally shallow pockets,
> and ask ARIN to cede the function? Something else? I think we all need a
> better understanding of the alleged legal issue before we can zero in on
> what should come next.

One of the complaints I've heard is that for out-of-region folk to get
the TA details they need to sign the RPA, and potentially be bound by
a contract that they can't be bound by anyway... so the process is
looked upon as a bit 'foolish' or perhaps: "over-reaching" is the more
polite term used.

First though I think Bill's point about: "How did we get into this
mess? could someone walk us through the process/steps taken to get
here?"

maybe we zigged when we ought to have zagged?

-chris