On 14 Aug 2019, at 1:21 AM, Ronald F. Guilmette <rfg@tristatelogic.com<mailto:rfg@tristatelogic.com>> wrote: In message <06570278-E1AD-4BB0-A9FC-11A77BED76E1@arin.net<mailto:06570278-E1AD-4BB0-A9FC-11A77BED76E1@arin.net>>, John Curran <jcurran@arin.net<mailto:jcurran@arin.net>> wrote: Even so, we at ARIN are in the midst of a Board-directed review of the RPKI legal framework to see if any improvements can be made <https://www.arin.net/ vault/participate/meetings/reports/ARIN_43/PDF/PPM/curran_rpki.pdf> – I will provide further updates once it is completed. This is an excellent presentation John, and I'm real glad to see that you have done such a nice job on it and touched on all of the important points. In particular, I'm glad that you clarified that if everyone is just doing what they ought to be doing, i.e. following best practices, then even if RPKI central and all of its sister satellites should all be simultaneously hit by metorites, then in theory at least, nobody should be any worse off than they already are today. And yes, I can't argue and won't argue that some folks aren't going to be bozos and screw up their RPKI deployment, and then some of them -may- possibly want to blame ARIN for -their- screw ups, but I continue to have trouble envisioning how this would ever traslate into a lawsuit that wouldn't simply be laughed out of court in about five seconds if handled properly. Alas, it’s not those who fail to properly configure RPKI that are likely to be litigating, but rather their impacted customers and those customers' business partners who all were unable to communicate due to no fault of their own. Such a matter will not be thrown out of court, but will be the start of a long and very expensive process involving claims, discovery, experts, etc. (a recent legal matter that was promptly resolved in ARIN’s favor pre-litigation still resulted in more than 1/3 million USD in costs...) Absent a specific reason for dismissal, it is only in actual trial that the preponderance of evidence gets considered – and note that in such a dispute, we’d end up with a jury of regular folks hearing fairly technical arguments about certificate validation, covering ROA’s, caching, etc. In other words, even if handled perfectly, your five second estimate is likely off by a year or more (and hence the reason for indemnification - it provides a clear basis for ARIN’s exit from the matter, as it makes plain that the liability resulting from use of the RPKI repository lies with the ISP.) Thanks, /John John Curran President and CEO American Registry for Internet Numbers