On 14 Aug 2019, at 1:21 AM, Ronald F. Guilmette <rfg@tristatelogic.com> wrote:

In message <06570278-E1AD-4BB0-A9FC-11A77BED76E1@arin.net>, 
John Curran <jcurran@arin.net> wrote:

Even so, we at ARIN are in the midst of a Board-directed review of the RPKI
legal framework to see if any improvements can be made <https://www.arin.net/
vault/participate/meetings/reports/ARIN_43/PDF/PPM/curran_rpki.pdf>  – I will
provide further updates once it is completed. 

This is an excellent presentation John, and I'm real glad to see that you
have done such a nice job on it and touched on all of the important points.

In particular, I'm glad that you clarified that if everyone is just doing
what they ought to be doing, i.e. following best practices, then even if
RPKI central and all of its sister satellites should all be simultaneously
hit by metorites, then in theory at least, nobody should be any worse off
than they already are today.

And yes, I can't argue and won't argue that some folks aren't going to be
bozos and screw up their RPKI deployment, and then some of them -may-
possibly want to blame ARIN for -their- screw ups, but I continue to have
trouble envisioning how this would ever traslate into a lawsuit that
wouldn't simply be laughed out of court in about five seconds if handled
properly.

Alas, it’s not those who fail to properly configure RPKI that are likely to be litigating, but rather their impacted customers and those customers' business partners who all were unable to communicate due to no fault of their own. 

Such a matter will not be thrown out of court, but will be the start of a long and very expensive process involving claims, discovery, experts, etc.  (a recent legal matter that was promptly resolved in ARIN’s favor pre-litigation still resulted in more than 1/3 million USD in costs...)   Absent a specific reason for dismissal, it is only in actual trial that the preponderance of evidence gets considered – and note that in such a dispute, we’d end up with a jury of regular folks hearing fairly technical arguments about certificate validation, covering ROA’s, caching, etc.    In other words, even if handled perfectly, your five second estimate is likely off by a year or more (and hence the reason for indemnification - it provides a clear basis for ARIN’s exit from the matter, as it makes plain that the liability resulting from use of the RPKI repository lies with the ISP.)

Thanks,
/John

John Curran
President and CEO
American Registry for Internet Numbers