Re: ARIN RPKI TAL deployment issues

[John Curran <jcurran () arin net>]

On 26 Sep 2018, at 1:14 AM, Benson Schliesser <bensons () queuefull net> wrote:
> Without venturing too far off topic, can you briefly compare this situation versus e.g. licensing of open source 
> software? Often, such software is (apparently) licensed without express agreement - using bundled license files, 
> comments inside source files, etc - and seems to accommodate the IPR and liability needs of developers and their 
> supporting organizations. Is it ARIN's understanding that this approach is not useful for RPKI data in the US, etc?

Benson - 

Excellent question.

First and foremost, an RIR agreement which provide indemnification (such as RIPE’s RPKI publisher terms, APNIC’s 
Certificate user terms, and ARIN’s RPA) provides an affirmative defense regarding liability claims; i.e. effectively we 
are able to point out at the very beginning of proceedings that parties using RPKI data per the respective agreement 
definitively have all of the associated liability from such use, not the RIR.  This allows for a timely disposition by 
a judge of any liability claims against an RIR regarding such use, which is definitely not the case of a software 
license agreement. 

In the latter case of a software license agreement, if an RIR should suffer an RPKI outage (e.g. RIPE Feb 2013 – 
https://www.ietf.org/mail-archive/web/sidr/current/msg05621.html), it will be necessary to show that any parties making 
claims of damages were harmed as the result an an ISP which had a duty to act with a certain level of care with regard 
to use of RPKI information and who failed in that duty, as opposed to the being the result of the RIR outage.    Such 
an argument must be made to the satisfaction of a jury based on the preponderance of evidence – i.e. even though each 
ISPs would have signed an agreement to use the RPKI information “as is”, that would not preclude any case proceeding to 
trial and would not necessarily be sufficient for an RIR to avoid significant liability in the event of an outage and 
despite the clear disclaimer of “as is” provision of RPKI data. 

> In any case, I also look forward to hearing the Overcoming Legal Barriers to RPKI Adoption talk next week (on Monday 
> afternoon, IIRC), and I hope that the Q&A discussion (and evening follow-up) will be helpful.

Indeed – note that your question regarding a comparison to “licensing of open source software” might also be asked 
during that Monday session in order to gain better insight from an actual attorney (rather than my offhand knowledge of 
such matters...)

Thanks!
/John 

John Curran 
President and CEO
ARIN