<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-7">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
        {font-family:Wingdings;
        panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:#0563C1;
        text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
        {mso-style-priority:34;
        margin-top:0in;
        margin-right:0in;
        margin-bottom:0in;
        margin-left:.5in;
        mso-add-space:auto;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;}
p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst
        {mso-style-priority:34;
        mso-style-type:export-only;
        margin-top:0in;
        margin-right:0in;
        margin-bottom:0in;
        margin-left:.5in;
        mso-add-space:auto;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;}
p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle
        {mso-style-priority:34;
        mso-style-type:export-only;
        margin-top:0in;
        margin-right:0in;
        margin-bottom:0in;
        margin-left:.5in;
        mso-add-space:auto;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;}
p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast
        {mso-style-priority:34;
        mso-style-type:export-only;
        margin-top:0in;
        margin-right:0in;
        margin-bottom:0in;
        margin-left:.5in;
        mso-add-space:auto;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;}
span.EmailStyle17
        {mso-style-type:personal-compose;
        font-family:"Calibri",sans-serif;
        color:windowtext;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri",sans-serif;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
/* List Definitions */
@list l0
        {mso-list-id:250706036;
        mso-list-type:hybrid;
        mso-list-template-ids:-1596062490 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
        {mso-level-number-format:bullet;
        mso-level-text:\F0B7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:Symbol;}
@list l0:level2
        {mso-level-number-format:bullet;
        mso-level-text:o;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:"Courier New";}
@list l0:level3
        {mso-level-number-format:bullet;
        mso-level-text:\F0A7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:Wingdings;}
@list l0:level4
        {mso-level-number-format:bullet;
        mso-level-text:\F0B7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:Symbol;}
@list l0:level5
        {mso-level-number-format:bullet;
        mso-level-text:o;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:"Courier New";}
@list l0:level6
        {mso-level-number-format:bullet;
        mso-level-text:\F0A7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:Wingdings;}
@list l0:level7
        {mso-level-number-format:bullet;
        mso-level-text:\F0B7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:Symbol;}
@list l0:level8
        {mso-level-number-format:bullet;
        mso-level-text:o;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:"Courier New";}
@list l0:level9
        {mso-level-number-format:bullet;
        mso-level-text:\F0A7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:Wingdings;}
ol
        {margin-bottom:0in;}
ul
        {margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">As the coauthors of the 2019 NSF-supported report that contributed to the current momentum toward overcoming the barriers RPKI adoption, a prior posting asked for our assessment
 of the changes.  Our apologies that we won’t be able to join you at this NANOG.  We hope to put together some type of program in Atlanta in February.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">We would say that intent of ARIN’s Sept. 26 and 29 updates ((<a href="https://www.arin.net/announcements/2022/documents/rpa_092622_redline.pdf">link</a> and
<a href="https://www.arin.net/announcements/2022/documents/rpa_092922_redline.pdf">
link</a>) to the RPA—to permit distribution of the TAL without signing the RPA—represent positive steps to address the most significant concern that we raised.  In particular, the language in Section 5 added by the Sept. 29 update explicitly stating, “Notwithstanding
 the foregoing, You are specifically allowed to publicly distribute the ARIN TAL, including by embedding the ARIN TAL in relying party software,” appears to authorize including ARIN’s TAL in all distributions of validator software, and RPKI adopters would no
 longer need to download ARIN’s TAL from its website.  If effective, this is would remove the single most important legal obstacle to broader use of RPKI.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">The continuing wrinkle is that Section 5 authorizes distribution of ORCP services (including the ARIN TAL) only as permitted by the ORCP service terms.  Section 9 requires
 third parties receiving this information either to have agreed to the RPA or to have entered into an agreement with the distributing party that includes the key terms of the RPA.  That would suggest that anyone distributing validator software with ARIN’s TAL
 must ensure that the recipient has agreed to the RPA in order to avoid violating the ORCP service terms.  Although open source typically relies on licenses that are good against all users regardless of knowledge or assent (because they sound in property instead
 of contract), assent to the terms of the RPA could be incorporated into the distribution process, perhaps in the same manner used for other certificate authorities, which typically have terms of use.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Another comment on this thread asked if ARIN has now addressed the other issues raised by our report.  It is our assessment that ARIN has adequately addressed three of our
 other concerns, has announced its intention to address two others, and partially addressed one.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">The three issues that ARIN has adequately addressed include:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraphCxSpFirst" style="margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo1">
<u><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Dropping provision of the RSA requiring legacy address holders to acknowledge ARIN’s property rights in IP addresses</span></u><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">: 
 dropped in update to LRSA dated Sept. 12, 2022 (<a href="https://www.arin.net/about/corporate/agreements/rsav13_changes.pdf">link</a>).<o:p></o:p></span></li><li class="MsoListParagraphCxSpMiddle" style="margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo1">
<u><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Drop provision of RPA prohibiting sharing of RPKI-derived data in a machine-readable format</span></u><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">:  authorized for informational
 purposes by update to RPA dated Oct. 21, 2019 (<a href="https://www.arin.net/vault/announcements/2019/20191021.html">link</a>); authorized for routing purposes by update to RPA dated Sept. 26, 2022 (<a href="https://www.arin.net/announcements/2022/documents/rpa_092622_redline.pdf">link</a>).<o:p></o:p></span></li><li class="MsoListParagraphCxSpMiddle" style="margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo1">
<u><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Better dissemination of best practices to the community</span></u><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">:  addressed by expansion of RPKI training at FISPA, WISPA,
 CaribNOG, and NANOG.<o:p></o:p></span></li></ul>
<p class="MsoListParagraphCxSpMiddle" style="margin-left:0in;mso-add-space:auto">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoListParagraphCxSpMiddle" style="margin-left:0in;mso-add-space:auto">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif">ARIN has its intention to address two of our other concerns in the near future:<o:p></o:p></span></p>
<p class="MsoListParagraphCxSpMiddle" style="margin-left:0in;mso-add-space:auto">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraphCxSpMiddle" style="margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo1">
<u><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Better disclosure to government agencies of ARIN’s willingness to waive insemination and choice of law clauses when barred by law</span></u><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">: 
 likely to be addressed by ARIN’s announced plans to create webpage specifically for governments.<o:p></o:p></span></li><li class="MsoListParagraphCxSpMiddle" style="margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo1">
<u><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Better disclosure of operational practices, such as uptime, update frequency, and response expectations</span></u><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">:  likely to
 be addressed further by planned update to certificate practices statement.<o:p></o:p></span></li></ul>
<p class="MsoListParagraphCxSpMiddle" style="margin-left:0in;mso-add-space:auto">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoListParagraphCxSpMiddle" style="margin-left:0in;mso-add-space:auto">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif">It partially addressed one concern that we raised.<o:p></o:p></span></p>
<p class="MsoListParagraphCxSpMiddle" style="margin-left:0in;mso-add-space:auto">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraphCxSpLast" style="margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo1">
<u><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Dropping blanket indemnification clause in favor of disclaimer of warranties and liability</span></u><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">:  revised RPA to exclude
 indemnification for ARIN’s gross negligence by update to RPA dated Oct. 21, 2019 (<a href="https://www.arin.net/vault/announcements/2019/20191021.html">link</a>).<o:p></o:p></span></li></ul>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">We hope these comments are helpful and look forward to continuing to work with the community on removing the remaining legal barriers to RPKI adoption.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Christopher Yoo (on behalf of myself and David Wishnick)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
</div>
</body>
</html>