On 3 Feb 2017, at 8:15 AM, LOOS Eric (BCS/CBU) <[email protected]<mailto:[email protected]>> wrote:
IANAL, but I have worked enough with our legal department to see some red flags in the RPA: - Possibility for on-sided modifications of the T&C with automatic acceptance thereof - Complete indemnification of ARIN et al. So I definitely sympathize with the point that the RPA as worded there is probably unacceptable for many carriers (us included) I also agree that it is a moot point whether this is a click through before a download is possible or fine print of the website which is presumable accepted once the service is accessed; it is in fact indeed commendable that ARIN does not try to let companies agree to such far reaching legal language without at least raising the flag. Eric - ARIN does indeed call out the entry into a RPKI legal agreement, and this is an agreement that includes indemnification (whereas other RIRs rely upon implicit binding via use to similar provisions in their overall registry agreements.) Therefore the points made by Wes during his nanog talk regarding the modification of the RPA are pertinent here. After Wes’ presentation, access to ARIN’s TAL was changed to no longer require explicit acceptance (via entry of email address and access via emailed link) and instead allow direct download, but it remains unclear whether implicit agreement via having the TAL bundled with other software would suffice for the same purposes (at least in the US.) I wonder why the trustees have chosen to take such a defensive approach on information contained in the RKPI, after all we have had RBL lists in the past for blocking mail, we pretty much all uses RIR routing registries for building our filters, many people rely on PeeringDB for keeping their peering records up to date and I have not encountered such defensive position before. It is true that the ARIN RPA contains an indemnification clause, but as I pointed out to Wes, it is remarkably similar to the indemnification clauses that are contained in many carriers' Internet service contracts. Providing and purchasing Internet services under such indemnification provisions does tend to belie claims that those same provisions for RPKI are burdensome, and further those provisions serve an important role in making sure that ARIN’s overall registry services (used by many thousands of organizations) cannot be impacted by any adverse outcome resulting from less-than-diligent RPKI usage. Especially RPKI requires a wide acceptance to be able to do anything useful. What would be the process for the trustees to review this matter and share their insights on this matter? The ARIN Board of Trustees has spent a very significant amount of time in recent years on RPKI services, including their availability, terms of service and related risks – this has resulted in continuous improvement to both the agreements and methods of access to the TAL as noted above. The Trustees are all on this mailing list, and I will (as previously noted) bring this topic to them at their next meeting for further review. I also note that the ARIN Board of Trustees holds a public session at each ARIN meeting and is available to address questions such as these if a more interactive format is preferred. Thanks! /John John Curran President and CEO ARIN
_______________________________________________ PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List ([email protected]). Unsubscribe or manage your mailing list subscription at: http://lists.arin.net/mailman/listinfo/arin-ppml Please contact [email protected] if you experience any issues.
