In message <06570278-E1AD-4BB0-A9FC-11A77BED76E1@arin.net>, John Curran <jcurran@arin.net> wrote:
Even so, we at ARIN are in the midst of a Board-directed review of the RPKI legal framework to see if any improvements can be made <https://www.arin.net/ vault/participate/meetings/reports/ARIN_43/PDF/PPM/curran_rpki.pdf> – I will provide further updates once it is completed.
This is an excellent presentation John, and I'm real glad to see that you have done such a nice job on it and touched on all of the important points. In particular, I'm glad that you clarified that if everyone is just doing what they ought to be doing, i.e. following best practices, then even if RPKI central and all of its sister satellites should all be simultaneously hit by metorites, then in theory at least, nobody should be any worse off than they already are today. And yes, I can't argue and won't argue that some folks aren't going to be bozos and screw up their RPKI deployment, and then some of them -may- possibly want to blame ARIN for -their- screw ups, but I continue to have trouble envisioning how this would ever traslate into a lawsuit that wouldn't simply be laughed out of court in about five seconds if handled properly. Some arguably proximate historical analogs might be relevant here. In the past, there have occasionally been problems when one or more of the root name servers have been DDoSd or have otherwise had issues. I don't recall anybody lining up to sue ICANN in those instances. Spamhaus and other public anti-spam services publish their stuff to all comers, without demanding indemnification. Yes, they have been sued from time to time, but none of that has ever resulted in any meaningful damages, and if the company itself had just been more consistant in obtaining sound legal advice, none of those events would even have been all that bothersome. So, what makes ARIN so special that it can't do what these others are doing and just simply publish some information? ARIN is in the State of Virginia the last time I checked, and I do believe that the First Amendment still applies in the State of Virginia, and indeed in all 50 states. I mean it isn't as if ARIN is going to go around yelling "Fire!" in a crowded theater for God's sake! So, you just slap a label on the whole bloody RPKI thing that says "Use at your own risk" and that ought to do it, I think. I understand that Steve Ryan may not see it that way, but it's his job not to see it that way. In practice, there is no need for -both- belt -and- suspenders. Regards, rfg P.S. Proactive failure testing (slide #15) is an excellent idea. You could and probably should fail the whole thing deliberately for 24 hours once a year, just as a way of shaking the trees to see what idiots fall out. It would be like DNS Flag Day, on steroids.