On 14 Aug 2019, at 1:21 AM, Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
In
message <06570278-E1AD-4BB0-A9FC-11A77BED76E1@arin.net>,
John
Curran <jcurran@arin.net>
wrote:
Even so, we at ARIN are in the midst of a Board-directed review of the RPKI
legal framework to see if any improvements can be made <https://www.arin.net/
vault/participate/meetings/reports/ARIN_43/PDF/PPM/curran_rpki.pdf> – I will
provide further updates once it is completed.
This
is an excellent presentation John, and I'm real glad to see that you
have
done such a nice job on it and touched on all of the important points.
In
particular, I'm glad that you clarified that if everyone is just doing
what
they ought to be doing, i.e. following best practices, then even if
RPKI
central and all of its sister satellites should all be simultaneously
hit
by metorites, then in theory at least, nobody should be any worse off
than
they already are today.
And
yes, I can't argue and won't argue that some folks aren't going to be
bozos
and screw up their RPKI deployment, and then some of them -may-
possibly
want to blame ARIN for -their- screw ups, but I continue to have
trouble
envisioning how this would ever traslate into a lawsuit that
wouldn't
simply be laughed out of court in about five seconds if handled
properly.
Alas, it’s not those who fail to properly configure RPKI that are likely to be litigating, but rather their impacted customers and those customers' business partners who all were unable to communicate due to no fault of their own.
Such a matter will not be thrown out of court, but will be the start of a long and very expensive process involving claims, discovery, experts, etc. (a recent legal matter that was promptly resolved in ARIN’s favor pre-litigation still resulted in more
than 1/3 million USD in costs...) Absent a specific reason for dismissal, it is only in actual trial that the preponderance of evidence gets considered – and note that in such a dispute, we’d end up with a jury of regular folks hearing fairly technical arguments
about certificate validation, covering ROA’s, caching, etc. In other words, even if handled perfectly, your five second estimate is likely off by a year or more (and hence the reason for indemnification - it provides a clear basis for ARIN’s exit from the
matter, as it makes plain that the liability resulting from use of the RPKI repository lies with the ISP.)
Thanks,
/John
John Curran
President and CEO
American Registry for Internet Numbers