ARIN RPKI TAL deployment issues

Job Snijders job at
Tue Sep 25 21:04:26 UTC 2018

Dear John,

On Tue, Sep 25, 2018 at 08:28:54PM +0000, John Curran wrote:
> On 25 Sep 2018, at 3:34 PM, Job Snijders <job at> wrote:
> > 
> > On Tue, Sep 25, 2018 at 03:07:54PM -0400, John Curran wrote:
> >> On Sep 25, 2018, at 1:30 PM, Job Snijders <job at> wrote:
> >>> 
> >>>   """Using the data, we can also see that the providers that have not
> >>>   downloaded the ARIN TAL. Either because they were not aware that
> >>>   they needed to, or could not agree to the agreement they have with
> >>>   it.
> >> 
> >> Is it possible to ascertain how many of those who have not downloaded
> >> the ARIN TAL are also publishing ROA’s via RIPE’s CA?
> > 
> > I'm sure we could extend the data set to figure this out. 
> It would be informative to know how many organizations potentially
> have concerns about the indemnification clause in the RPA but already
> agree to indemnification via RIPE NCC Certification Service Terms and
> Conditions.

This seems a matter of personal curiosity that perhaps distracts from
the problem at hand: the ARIN TAL is less widely deployed than the other

I'm open to solutions or suggestions to get the ARIN TAL more widely
distributed, however I do think that inclusion in the RPKI Cache
Validators is a *key* element, so the ARIN TAL can be used after a
default installation of such software.

We really need to bring it back down to "apt install rpki-cache-validator"
to best serve the interests of the ARIN members. Imagine the Chrome
browser shipping without any of the TLS Root Certificates, or Unbound
without the DNSSEC root key!

Kind regards,


More information about the NANOG mailing list