ARIN RPKI TAL deployment issues
jcurran at arin.net
Wed Sep 26 07:02:30 UTC 2018
On 26 Sep 2018, at 1:14 AM, Benson Schliesser <bensons at queuefull.net> wrote:
> Without venturing too far off topic, can you briefly compare this situation versus e.g. licensing of open source software? Often, such software is (apparently) licensed without express agreement - using bundled license files, comments inside source files, etc - and seems to accommodate the IPR and liability needs of developers and their supporting organizations. Is it ARIN's understanding that this approach is not useful for RPKI data in the US, etc?
First and foremost, an RIR agreement which provide indemnification (such as RIPE’s RPKI publisher terms, APNIC’s Certificate user terms, and ARIN’s RPA) provides an affirmative defense regarding liability claims; i.e. effectively we are able to point out at the very beginning of proceedings that parties using RPKI data per the respective agreement definitively have all of the associated liability from such use, not the RIR. This allows for a timely disposition by a judge of any liability claims against an RIR regarding such use, which is definitely not the case of a software license agreement.
In the latter case of a software license agreement, if an RIR should suffer an RPKI outage (e.g. RIPE Feb 2013 – https://www.ietf.org/mail-archive/web/sidr/current/msg05621.html), it will be necessary to show that any parties making claims of damages were harmed as the result an an ISP which had a duty to act with a certain level of care with regard to use of RPKI information and who failed in that duty, as opposed to the being the result of the RIR outage. Such an argument must be made to the satisfaction of a jury based on the preponderance of evidence – i.e. even though each ISPs would have signed an agreement to use the RPKI information “as is”, that would not preclude any case proceeding to trial and would not necessarily be sufficient for an RIR to avoid significant liability in the event of an outage and despite the clear disclaimer of “as is” provision of RPKI data.
> In any case, I also look forward to hearing the Overcoming Legal Barriers to RPKI Adoption talk next week (on Monday afternoon, IIRC), and I hope that the Q&A discussion (and evening follow-up) will be helpful.
Indeed – note that your question regarding a comparison to “licensing of open source software” might also be asked during that Monday session in order to gain better insight from an actual attorney (rather than my offhand knowledge of such matters...)
President and CEO
More information about the NANOG