> On Sep 25, 2018, at 4:28 PM, John Curran <jcur...@arin.net> wrote:
>
> On 25 Sep 2018, at 3:34 PM, Job Snijders <j...@ntt.net> wrote:
>>
>> On Tue, Sep 25, 2018 at 03:07:54PM -0400, John Curran wrote:
>>> On Sep 25, 2018, at 1:30 PM, Job Snijders <j...@ntt.net> wrote:
>>>>
>>>> """Using the data, we can also see that the providers that have not
>>>> downloaded the ARIN TAL. Either because they were not aware that
>>>> they needed to, or could not agree to the agreement they have with
>>>> it.
>>>
>>> Is it possible to ascertain how many of those who have not downloaded
>>> the ARIN TAL are also publishing ROA’s via RIPE’s CA?
>>
>> I'm sure we could extend the data set to figure this out.
>
> It would be informative to know how many organizations potentially have
> concerns about the indemnification clause in the RPA but already agree to
> indemnification via RIPE NCC Certification Service Terms and Conditions.
It would be interesting to see how much further deployment would have occurred
if ARIN made it’s TAL available similar to the other locations.
Thankfully we have active measurements that show that ARIN prefixes are less
protected due to this. As someone that is (for personal reasons) now a voting
member of ARIN, this is one of my primary concerns. My ARIN issued space is
_less_ protected than if I were to have used another RIR. This devalues that
investment.
Instead of asking for an experiment, John I challenge you to make the ARIN TAL
available and help play a role in securing the IP space within your region.
There is this mantra of Secure by Default that many people have learned since
the open-relay, smurf amplification and other attack days. There’s a reason my
password isn’t a dictionary word, etc.
If you make it easy to secure a website (eg: Lets Encrypt is a great example)
there are now fewer self-signed certificates because it’s easier to do.
Why is ARIN making it so hard for it’s members to get the benefits of the
global ecosystem for their RIR controlled space? What makes ARIN IP space so
unique in this sense? As part of a global ecosystem it’s incumbent of many of
us to do the right thing here and ARIN is increasing the friction on the part
of everyone to do the right thing.
If I had to download the ARIN CA in order to interact with www.arin.net vs it
being bundled in my browser store, would I be able to securely interact with
ARIN?
Therefore, I once again challenge you as part of the leadership of this
organization to make the ARIN IP space as protected as those issued by the
other regions. Let the developers know that if they bundle the ARIN TAL they
won’t face legal action. Help bring routing security to the same ease of use
as places like LetsEncrypt do for those in the SSL/TLS ecosystem.
- Jared Mauch
(Representing my own self/WFPL-1)
