Re: ARIN RPKI TAL deployment issues

[Jared Mauch <jared () puck nether net>]

> On Sep 25, 2018, at 4:28 PM, John Curran <jcurran () arin net> wrote:
>
> On 25 Sep 2018, at 3:34 PM, Job Snijders <job () ntt net> wrote:
> > On Tue, Sep 25, 2018 at 03:07:54PM -0400, John Curran wrote:
> > > On Sep 25, 2018, at 1:30 PM, Job Snijders <job () ntt net> wrote:
> > > >  """Using the data, we can also see that the providers that have not
> > > >  downloaded the ARIN TAL. Either because they were not aware that
> > > >  they needed to, or could not agree to the agreement they have with
> > > >  it.
> > >
> > > Is it possible to ascertain how many of those who have not downloaded
> > > the ARIN TAL are also publishing ROA’s via RIPE’s CA?
> >
> > I'm sure we could extend the data set to figure this out. 
>
> It would be informative to know how many organizations potentially have concerns about the indemnification clause in 
> the RPA but already agree to indemnification via RIPE NCC Certification Service Terms and Conditions.

It would be interesting to see how much further deployment would have occurred if ARIN made it’s TAL available similar 
to the other locations.

Thankfully we have active measurements that show that ARIN prefixes are less protected due to this.  As someone that is 
(for personal reasons) now a voting member of ARIN, this is one of my primary concerns.  My ARIN issued space is _less_ 
protected than if I were to have used another RIR.  This devalues that investment.  

Instead of asking for an experiment, John I challenge you to make the ARIN TAL available and help play a role in 
securing the IP space within your region.  There is this mantra of Secure by Default that many people have learned 
since the open-relay, smurf amplification and other attack days.  There’s a reason my password isn’t a dictionary word, 
etc.

If you make it easy to secure a website (eg: Lets Encrypt is a great example) there are now fewer self-signed 
certificates because it’s easier to do.

Why is ARIN making it so hard for it’s members to get the benefits of the global ecosystem for their RIR controlled 
space?  What makes ARIN IP space so unique in this sense?  As part of a global ecosystem it’s incumbent of many of us 
to do the right thing here and ARIN is increasing the friction on the part of everyone to do the right thing.

If I had to download the ARIN CA in order to interact with www.arin.net vs it being bundled in my browser store, would 
I be able to securely interact with ARIN?

Therefore, I once again challenge you as part of the leadership of this organization to make the ARIN IP space as 
protected as those issued by the other regions.  Let the developers know that if they bundle the ARIN TAL they won’t 
face legal action.  Help bring routing security to the same ease of use as places like LetsEncrypt do for those in the 
SSL/TLS ecosystem.

- Jared Mauch
(Representing my own self/WFPL-1)