Mailing List Archive

ARIN RPKI services terms/conditions - Change to Management of the Trust Anchor Locator for ARIN’s RPKI Service
NANOGers -

Changes in terms and conditions for ARIN's RPKI service – more specifically being
changes in ARIN’s Relaying Party Agreement terms and related Trust Anchor Locator
management approach – see the attached announcement for details.

FYI,
/John

John Curran
President and CEO
American Registry for Internet Numbers

Begin forwarded message:

From: ARIN <info@arin.net<mailto:info@arin.net>>
Subject: [arin-announce] Change to Management of the Trust Anchor Locator for ARIN’s RPKI Service
Date: 26 September 2022 at 5:24:07 PM EDT
To: "arin-announce@arin.net<mailto:arin-announce@arin.net>" <arin-announce@arin.net<mailto:arin-announce@arin.net>>

Effective 26 September 2022, ARIN is changing how we manage the ARIN Trust Anchor Locator (TAL). Users are no longer required to sign the ARIN Relying Party Agreement to redistribute information from ARIN’s Online Resource Certification PKI (“ORCP”) in a machine-readable format for network routing purposes. We are making this modification in response to feedback from the Internet community and in the hope that it will accelerate RPKI deployment in the ARIN region. We ask that developers of Relying Party software include the ARIN TAL in future releases. We encourage all participants in the RPKI community to download the ARIN TAL and add it to existing validator deployments where previously it has not been included.

The Relying Party Agreement (RPA) has been updated to reflect the changes in the useage of the TAL. The change is the addition of Section 9 “Machine-Readable Format Distribution” to the RPA and the elimination of a separate Redistributor RPA. With this addition, a party to the RPA may make information from the ORCP Services available to third parties in a machine-readable format under certain circumstances.

The updated RPA is available for review:

RPA: https://www.arin.net/resources/manage/rpki/rpa.pdf

RPA Redline: https://www.arin.net/announcements/2022/documents/rpa_092622_redline.pdf

If you have any questions or issues, please email routing.security@arin.net<mailto:routing.security@arin.net>

Regards,

Brad Gorman
Sr. Product Owner, Routing Security
American Registry for Internet Numbers (ARIN)


_______________________________________________
ARIN-Announce
You are receiving this message because you are subscribed to
the ARIN Announce Mailing List (ARIN-announce@arin.net<mailto:ARIN-announce@arin.net>).
Unsubscribe or manage your mailing list subscription at:
https://lists.arin.net/mailman/listinfo/arin-announce
Please contact info@arin.net if you experience any issues.
Re: ARIN RPKI services terms/conditions - Change to Management of the Trust Anchor Locator for ARIN’s RPKI Service [ In reply to ]
Hello John,


On Mon, 26 Sept 2022 at 23:48, John Curran <jcurran@arin.net> wrote:
>
> NANOGers -
>
> Changes in terms and conditions for ARIN's RPKI service – more specifically being
> changes in ARIN’s Relaying Party Agreement terms and related Trust Anchor Locator
> management approach – see the attached announcement for details.

Considering that RP vendors and operators globally are hopefully using
the ARIN TAL and not everybody is a native english speaking lawyer,
can we simplify this a little further?

There appears to already be a disparity between different
interpretations regarding this change.

Here [1] an RP vendor claims "no additional steps are needed to use
the @TeamARIN TAL" (just like every other TALs).
Somebody else [2] appears to disagree.

The new section 9 appears to mandate that RP software checks to
confirm that the user has accepted the RPA (or another agreements with
those terms passed through "at least as protective of ARIN").


So lets put this in pseudocode for RP developers:

Previously, a setup/install helper could ask the user if ARIN RPA has
been agreed to, and in that case, download the ARIN TAL (487 byte
sized as of today).

Now a setup/install helper could ask the user if ARIN RPA has been
agreed to, and in that case, enable the use of the ARIN TAL which can
now be shipped with the product.


Can a RP validator ship and use the ARIN TAL by default, without
additional steps and confirmations by the user?

If not, what is the actual benefit of this change, other than the 487
byte download of the TAL file not being necessary any more?


Which issues of the 2019 paper "Lowering Legal Barriers to RPKI
Adoption" [3] in your opinion does this change address?



Thank you,

Lukas Tribus



[1] https://twitter.com/routinator3000/status/1574637298838376449
[2] https://twitter.com/sthen_/status/1574704553219571712
[3] https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3308619
Re: ARIN RPKI services terms/conditions - Change to Management of the Trust Anchor Locator for ARIN’s RPKI Service [ In reply to ]
* jcurran@arin.net (John Curran) [Tue 27 Sep 2022, 13:26 CEST]:
>Yes: the intent is that an RP validator may ship and use the ARIN TAL by default.
>If that is not clear in the revised RPA, then the RPA agreement will updated again for clarity.

I feel like you're just gaslighting us at this point.

"You have passed through terms that are at least as protective of ARIN
... via browse-wrap, clickwrap [...] for which such third party is
legally obligated to said terms."

So, no, software developers cannot ship and use the ARIN TAL by
default, which means without having to interrupt an installation
process with a question about Articles 5, 6, and 7 and Sections 8(a),
8(b), and 8(f) of the ARIN RPA.

Why can't ARIN just grant distribution and use for any purpose rights
like the other RIRs?


-- Niels.
Re: ARIN RPKI services terms/conditions - Change to Management of the Trust Anchor Locator for ARIN’s RPKI Service [ In reply to ]
On Tue, Sep 27, 2022 at 4:23 AM John Curran <jcurran@arin.net> wrote:
> Yes: the intent is that an RP validator may ship and use the ARIN TAL by default.
>
> If that is not clear in the revised RPA, then the RPA agreement will updated again for clarity.

Hi John,

It's clear enough from section 9 that an RP validator may NOT ship and
use the ARIN TAL without first adopting as its own the basic
brokenness of ARIN's legal process around the TAL.This change looks to
me like a swing and a miss.

Understand John, open source software operates on a license tender
basis. The user is presumed to have accepted the license contract on
the basis of their lack of authority to have made a copy any other
way. Placing additional restrictions is a poison pill.

Regards,
Bill Herrin


--
For hire. https://bill.herrin.us/resume/
Re: ARIN RPKI services terms/conditions - Change to Management of the Trust Anchor Locator for ARIN’s RPKI Service [ In reply to ]
On 27 Sep 2022, at 10:33 AM, Niels Bakker <niels=nanog@bakker.net<mailto:niels=nanog@bakker.net>> wrote:

* jcurran@arin.net<mailto:jcurran@arin.net> (John Curran) [Tue 27 Sep 2022, 13:26 CEST]:
Yes: the intent is that an RP validator may ship and use the ARIN TAL by default.
If that is not clear in the revised RPA, then the RPA agreement will updated again for clarity.

I feel like you're just gaslighting us at this point.

You suggest gaslighting by ARIN as as result of us indicating that if the RPA is unclear, it will be
corrected? That’s a interesting interpretation – I could certainly understand a gaslighting concern
if ARIN said “it’s fine and don’t worry about the words; it means what it means” but rather we are
acknowledging the language may still remain unclear and need to be promptly addressed.

Why can't ARIN just grant distribution and use for any purpose rights like the other RIRs?

Not quite "use for any purpose”; for example – RIPE NCC - "Users shall be permitted to download the Repository and to access and use the data contained therein, only in order to validate Certificates, CRLs and RPKI-signed objects. Download of the Repository, access to or use of the data contained therein for any other purpose, including but not limited to identification purposes, advertising, direct marketing, marketing research or similar purposes, is strictly forbidden.”

However, your point is taken and ARIN shall endeavor to make terms and conditions for use
of the TAL and the ARIN repository clearer in this regard.

Thanks,
/John

John Curran
President and CEO
American Registry for Internet Numbers