ARIN RPKI TAL deployment issues
jcurran at arin.net
Wed Sep 26 13:30:42 UTC 2018
On 26 Sep 2018, at 9:26 AM, Jared Mauch <jared at puck.nether.net> wrote:
>> On Sep 26, 2018, at 7:16 AM, John Curran <jcurran at arin.net> wrote:
>> On 26 Sep 2018, at 3:29 AM, Jared Mauch <jared at puck.nether.net> wrote:
>>> The process for lets encrypt is fairly straightforward, it collects some minimal information (eg: e-mail address, domain name) and then does all the voodoo necessary. If ARIN were to make this request of the developers of RPKI software, it would seem reasonable to have that passed to ARIN via some API saying “bob at example.com” typed “Agree” to the ARIN TAL as part of the initial installation of the software.
>> Jared -
>> Interesting point – thank you for the very clear elaboration of this particular issue.
> Thank you for listening :-)
No problem at all – I work for you (i.e. the collective “you" on this mailing list.)
>> Would it suffice if ARIN made clear in its RPKI information that software installation tools may download the ARIN TAL on behalf of a party so long as the parry agrees to statement displayed which reads “This software utilizes information from the ARIN Certificate Authority, and such usage is subject to the ARIN Relying Party Agreement. Type ‘Agree’ to proceed” ?
> I think this would help, but ideally you would allow people (software vendors) to package the TAL and if they type ‘Agree’ it would allow use of it.
Got it - I’ll look to this approach if at all possible.
>>> Please work with the developers for a suitable method to include the ARIN TAL by default. Come up with the click-accept legalese necessary.
>>> Since you asked, here’s what they did with the CertBot that’s commonly used by Lets Encrypt:
>>> (The first time you run the command, it will make an account, and ask for an email and agreement to the Let’s Encrypt Subscriber Agreement; you can automate those with --email and --agree-tos)
>> Acknowledged; I believe that allowing something similar to enable software installation tools to download the ARIN TAL for a party should be relatively straightforward – I will research that asap.
> Thank you! This and/or guidance to software developers about this being a permissible action on their part. This should help improve things.
Thanks for the thoughtful discussion - very helpful!
President and CEO
More information about the NANOG