Re: ARIN RPKI TAL deployment issues

[Jared Mauch <jared () puck nether net>]

> On Sep 26, 2018, at 3:13 AM, John Curran <jcurran () arin net> wrote:
>
> On 26 Sep 2018, at 2:09 AM, Christopher Morrow <morrowc.lists () gmail com> wrote:
> > (I'm going to regret posting this later, but...)
> >
> > On Tue, Sep 25, 2018 at 10:57 PM John Curran <jcurran () arin net> wrote:
> >
> > The significant difference for ARIN is that we operate under a different legal regime, and as a matter of US law, it 
> > appears that we cannot rely only upon terms and conditions published in our website as evidence of informed 
> > agreement; i.e. within the US legal framework, we need a specific act of acceptance in order to have a binding 
> > agreement.  
> >
> > how is arin's problem here different from that which 'lets encrypt' is facing with their Cert things?
>
> Chris - 
>
> The “Let’s encrypt” subscriber agreement (current version 1.2, 15 Nov 2018) includes "indemnify and hold harmless” 
> clause, and parties affirmatively agree to those terms by requesting that ISRG issue a "Let’s Encrypt” Certificate to 
> you.
>
> (I don’t know whether that process is particularly more or less onerous technically than the effort to download the 
> ARIN TAL.) 

The process for lets encrypt is fairly straightforward, it collects some minimal information (eg: e-mail address, 
domain name) and then does all the voodoo necessary.  If ARIN were to make this request of the developers of RPKI 
software, it would seem reasonable to have that passed to ARIN via some API saying “bob () example com” typed “Agree” 
to the ARIN TAL as part of the initial installation of the software.

For me, this is about the friction involved in making it work and while the click-through page may not seem like a 
barrier, there are active measurements that demonstrate it is.  It may take time to communicate to the existing set of 
operators running RPKI validators they are missing the ARIN TAL, but I would like to ensure that new deployments don’t 
make this same mistake.

I think this thread/communication is part of that.  “Don’t forget about the extra step for ARIN”.  It’s also “ARIN, 
please help make it easier to use your service”.

With Google Maps, etc.. I may have to create an API key, it comes in multi-lingual systems in non-roman alphabet 
support, etc.  Being part of this global ecosystem and running an RIR comes with some extra effort compared to running 
a corner mom & pop shop.  Our actions and decisions have global consequences to the safety and security of how your and 
my traffic is routed.

Please work with the developers for a suitable method to include the ARIN TAL by default.  Come up with the 
click-accept legalese necessary.

Since you asked, here’s what they did with the CertBot that’s commonly used by Lets Encrypt:


    (The first time you run the command, it will make an account, and ask for an email and agreement to the Let’s 
Encrypt Subscriber Agreement; you can automate those with --email and --agree-tos)

    If you want to use a webserver that doesn’t have full plugin support yet, you can still use “standalone” or 
“webroot” plugins to obtain a certificate:

    ./certbot-auto certonly --standalone --email admin () example com -d example.com -d www.example.com -d 
other.example.net

If you/ARIN could work closer with the developers of RPKI software to help make this happen that would be great.  If 
you need introductions, I’m happy to help make them.

- Jared