Re: RPKI TAs

[Matt Corallo <nanog () as397444 net>]

While I certainly agree with you, I have a certainly-naive question - what the difference is between ARIN and RIPE's 
T&C:

Aug  3 19:07:15 rpki-validator rpki-client[16164]: The RIPE NCC Certification Repository is subject to Terms and 
Conditions
Aug  3 19:07:15 rpki-validator rpki-client[16164]: See
http://www.ripe.net/lir-services/ncc/legal/certification/repository-tc

As far as I understand, to use RIPE's RPKI repo I have to similarly agree with RIPE's legal contract as well, though
they are somewhat less aggressive about making sure I check a box before using it.

Matt

On 8/3/20 10:54 AM, Job Snijders wrote:
> On Mon, Aug 03, 2020 at 08:17:55AM -0500, John Kristoff wrote:
> > On Sun, 2 Aug 2020 18:52:11 +0000
> > Randy Bush <randy () psg com> wrote:
> >
> > > not to mention the ARIN stupidity
> >
> > Notwithstanding the RPA, downloading ARIN's TAL is straightforward:
> >
> > As documented here:
> >
> >   <https://www.arin.net/resources/manage/rpki/tal/>
> >
> > One can wget, curl, or whatever this:
> >
> >   <https://www.arin.net/resources/manage/rpki/arin.tal>
>
> I dunno, 'straightforward' to me would mean the ARIN TA is installed by
> default when you install a RPKI Cache Validator implementation, all
> without requiring lawyers well-versed in both your native language AND
> in the American legal system.
>
> I can do DNSSEC, RPKI ROV, Signify, Web PKIs like TLS - all without
> kludges. Here is a video (10 min) where I show how you can bootstrap a
> system from 0 to 100 without relying party agreements:
> https://www.youtube.com/watch?v=oBwAQep7Q7o
>
> The highlight of the video is when I access ARIN's website over HTTPS,
> after having resolved their webserver's IP address with a DNSSEC
> validating recursor... to discover I need to get a lawyer to download a
> .tal file which exists to protect *ARIN* members. Shouldn't ARIN members
> demand that the process is as frictionless as possible? (both the new
> and old RPA are the opposite of frictionless).
>
> ARIN members (the RPKI users) depend on network operators both inside
> and outside the ARIN region to honor their ROAs. The internet is global.
> The ARIN ROA's will not be honored if the ARIN .tal file is missing. The
> ARIN .tal file is missing because it cannot be included in open source
> software without making things very awkward.
>
> It is an insane situation. ARIN resource holders using ARIN's RPKI TA
> are measurably *less* protected than their RIPE, APNIC, LACNIC and
> AFRINIC counterparts.
>
> Get this:
>
> When you transfer your IP space away from ARIN, to *ANY* other RIR,
> you'll derive *MORE* benefits from your RPKI ROA signing efforts. You
> don't even need to renumber out of your space to improve your routing
> security posture!
>
> I believe ARIN's policy to institute a significant legal barrier to RPKI
> infrastructure negatively impacts ARIN's own members.
>
> Imagine having to sign a contract with DigiCert to obtain the public key
> to be able to visit https://paypal.com. Ha-ha-ha-ha... folly. It would
> be bad for business.
>
> Kind regards,
>
> Job