Bill Woodcock <woody@pch.net> writes:
On Dec 4, 2014, at 7:35 AM, Andrew Gallo <akg1330@gmail.com> wrote:
In my informal conversations, what I got was that lawyers read the agreement, said 'no, we wont sign it' and then dropped it. If specific legal feedback isn't making it back to ARIN, then we need to start providing it,
All the specific legal feedback Ive heard is that this is a liability nightmare, and that everyone wants ARIN to take on all the liability, but nobody wants to pay for it. Are you hearing something more useful than that?
The way the RPA is worded, ARIN seems to be attempting to offload all the risk to its member organizations. Anything that ARIN does has some degree of risk associated with it. Twice a year we host parties where alcohol is served. That's a risky endeavor on all sorts of ways - at least we're typically taking buses to and from the event so we aren't driving. I have heard it asserted the board is unwilling for the organization to shoulder even that level of risk as part of providing RPKI. As a board member, can you speak to this? Whether this extreme level of risk aversity is a matter of mistaken priorities (putting the organization itself ahead of accomplishing the organization's mission) or a way of making sure that we stop wasting money on RPKI due to demonstrable non-uptake is left as an exercise to the reader. You can infer from the last statement that I would applaud cutting our losses on RPKI. The quote on slide 23 of Wes' deck about replacing complex stuff like email templates with simple, easy to understand public key crypto was mine. If you can't get people to play ball nicely with client filtering, IRR components, etc. where the bar to entry is low, who can _possibly_ say with a straight face that we can get people to embrace RPKI? To the usual suspects: sorry to call your kid ugly. Don't hate the messenger. -r