Re: Software installation tools retrieving ARIN TAL (was: Re: ARIN RPKI TAL deployment issues)

[Baldur Norddahl <baldur.norddahl () gmail com>]

Is the ARIN TAL copyrighted? Is it even copyrightable? It has no creative
value, which is a requirement in european law. Why would not RIPE just
include it like they do for every other RIR TAL?


lør. 13. okt. 2018 15.49 skrev Job Snijders <job () ntt net>:

> Dear John,
>
> I'd like to thank you and the ARIN team for these efforts - in doing so
> I feel that ARIN recognises issues & concerns related to the
> distribution of the ARIN RPKI TAL. Acknowledging a problem is the first
> step to solving it!
>
> On Sat, Oct 13, 2018 at 09:35:36AM -0400, John Curran wrote:
> > On 25 Sep 2018, at 3:34 PM, Job Snijders <job () ntt net> wrote:
> > > ...
> > > What I'm hoping for is that there is a way for the ARIN TAL to be
> > > included in software distributions, without compromising ARIN's
> > > legal position.
> > >
> > > Perhaps an exception for software distributors would already go a
> > > long way?
> >
> > While not exactly what you seek, we can get a bit closer to the goal –
> > i.e. by eliminating the need for the user installing a software
> > package to first go get the ARIN TAL and put it in the right place
> > prior to running the installation software.
> >
> > To that end, the ARIN TAL page
> > https://www.arin.net/resources/rpki/tal.html has been revised with
> > specific guidance –
> >
> >       Software Installation Tools
> >
> >       Software installation tools may download the ARIN TAL on behalf of
> a
> >       user after the user has confirmed their acceptance of the ARIN
> >       Relying Party Agreement (RPA) on the ARIN website.  This acceptance
> >       must require "agreement to the ARIN Relying Party Agreement
> >       (https://www.arin.net/resources/rpki/rpa.pdf)" and obtain a
> >       non-ambiguous affirmative action by clicking on, or the entry of, a
> >       word of agreement (such as  "yes" or "accept")
> >
> > Example: Attention: This package requires the download of the ARIN TAL
> > and agreement to the ARIN Relying Party Agreement (RPA)
> > (https://www.arin.net/resources/rpki/rpa.pdf). Type "yes" to agree,
> > and you can proceed with the ARIN TAL download: yes
>
> In this approach I still observe an institutional barrier. If we take
> DNSSEC as analogous concept, when installing & starting BIND, unbound,
> NSD, knot, Microsoft DNS, or PowerDNS, no affirmative actions are
> required.
>
> It is also not clear to me how in context of fully automated
> installation & deployment the paradigm of 'non-ambiguous affirmative
> action' can exist. If we instruct orchastration software to say 'yes' to
> whatever questions pop up what does that actually mean? It certainly no
> longer adheres to the spirit of whatever it is that ARIN seeks.
>
> Lastly - having to download a file ('requiring specific network
> connectivity') in context of installation & deployment is always
> inferior compared to bundling all required pieces into coherent software
> packages.
>
> > We will continue to explore mechanisms for making ARIN’s RPKI
> > repository more accessible to the community, but felt that this
> > interim step could be accomplished promptly and was worth noting in a
> > timely manner to those distributing RPKI software.
>
> Yes - please do. Providing guidance to software distributors does not
> change some of the challenging contents of the RPA, nor does it address
> the fundamental institutional barrier that separates the ARIN TAL from
> the other RIR TALs.
>
> Kind regards,
>
> Job