Dear John, I'd like to thank you and the ARIN team for these efforts - in doing so I feel that ARIN recognises issues & concerns related to the distribution of the ARIN RPKI TAL. Acknowledging a problem is the first step to solving it! On Sat, Oct 13, 2018 at 09:35:36AM -0400, John Curran wrote:
On 25 Sep 2018, at 3:34 PM, Job Snijders <job@ntt.net> wrote:
... What I'm hoping for is that there is a way for the ARIN TAL to be included in software distributions, without compromising ARIN's legal position.
Perhaps an exception for software distributors would already go a long way?
While not exactly what you seek, we can get a bit closer to the goal – i.e. by eliminating the need for the user installing a software package to first go get the ARIN TAL and put it in the right place prior to running the installation software.
To that end, the ARIN TAL page https://www.arin.net/resources/rpki/tal.html has been revised with specific guidance –
Software Installation Tools
Software installation tools may download the ARIN TAL on behalf of a user after the user has confirmed their acceptance of the ARIN Relying Party Agreement (RPA) on the ARIN website. This acceptance must require "agreement to the ARIN Relying Party Agreement (https://www.arin.net/resources/rpki/rpa.pdf)" and obtain a non-ambiguous affirmative action by clicking on, or the entry of, a word of agreement (such as "yes" or "accept")
Example: Attention: This package requires the download of the ARIN TAL and agreement to the ARIN Relying Party Agreement (RPA) (https://www.arin.net/resources/rpki/rpa.pdf). Type "yes" to agree, and you can proceed with the ARIN TAL download: yes
In this approach I still observe an institutional barrier. If we take DNSSEC as analogous concept, when installing & starting BIND, unbound, NSD, knot, Microsoft DNS, or PowerDNS, no affirmative actions are required. It is also not clear to me how in context of fully automated installation & deployment the paradigm of 'non-ambiguous affirmative action' can exist. If we instruct orchastration software to say 'yes' to whatever questions pop up what does that actually mean? It certainly no longer adheres to the spirit of whatever it is that ARIN seeks. Lastly - having to download a file ('requiring specific network connectivity') in context of installation & deployment is always inferior compared to bundling all required pieces into coherent software packages.
We will continue to explore mechanisms for making ARIN’s RPKI repository more accessible to the community, but felt that this interim step could be accomplished promptly and was worth noting in a timely manner to those distributing RPKI software.
Yes - please do. Providing guidance to software distributors does not change some of the challenging contents of the RPA, nor does it address the fundamental institutional barrier that separates the ARIN TAL from the other RIR TALs. Kind regards, Job