can you find the fatal flaw?
[ hint: how does an isp in phnom penh validate my route? ]
randy
Hi Randy
Your question is a bit cryptic. Could you be more specific about your
concern?
Thanks,
Mark
I think Randy meant to imply that requiring anyone that wants to
actually use the RPKI to make a legal agreement with ARIN might not be
the best way to encourage deployment.
I think Randy meant to imply that requiring anyone that wants to
actually use the RPKI to make a legal agreement with ARIN might not be
define 'use'...
o 'stick their objects into the repo' sure a contract sounds good
o 'access the repo to download content' - no, that doesn't sound
like it needs a contract
is this a messaging problem/issue or did ARIN mean that 'to download
content you must sign an agreement/contract with ARIN?' (I hope that
the answer is: "of course not! that sounds silly... our messaging
could be improved")
a closer (by me) reading of:
" In order to access the
production RPKI TAL, you will first have to agree to ARIN's Relying
Party Agreement before the TAL will be emailed to you. To request the
TAL after the production release, follow this link:
http://www.arin.net/public/rpki/tal/index.xhtml"
though kinda leads me into the hole randy/richard fell into... 'to
poke the TAL and figure out where things are, you have to sign an
agreement'.
Isn't the structure of the global system something like:
"each asn has a publication point, potentially some share
publication-points, everyone has to access everyone else's publication
point"
and 'TAL' ... seems like odd to me as an RP, don't I want the one TA
from IANA (yes, eventually) or at the very least the 1 from each RIR ?
(which is a simple single item to download and use in validating the
content I get from all the rest of the world?)
-chris
.....
a closer (by me) reading of:
" In order to access the
production RPKI TAL, you will first have to agree to ARIN's Relying
Party Agreement before the TAL will be emailed to you. To request the
TAL after the production release, follow this link:
http://www.arin.net/public/rpki/tal/index.xhtml"though kinda leads me into the hole randy/richard fell into... 'to
poke the TAL and figure out where things are, you have to sign an
agreement'.
My interpretation was what Randy implied, and that ARIN
wants an agreement with everyone who gets a (presumably
unique to the agreement) TAL to protect ARIN. That would
seem like a lot of overhead to maintain to me (since as I recall
a TAL may never, ever (ok, very rarely) change), but then
appropriate risk management has always been an interesting
thing to watch in the (potentially litigious) ARIN region.
Gary
I'll let Randy speak for Randy (only he could do such a fine job).
I do agree with Chris (and many others) that this whole thing falls apart pretty quickly without a single root (e.g., think of the browser CA problem) -- for many reasons.
I'd wager what ARIN is going to do in said "Relying Party Agreement" is tell RPs (i.e., *relying* parties) that they ought not rely to much on the data for routing, and if they do and something gets hosed, ARIN's not at fault -- but I'll wait to read the actual agreement before speculating more.
-danny
[ hint: how does an isp in phnom penh validate my route? ]
Your question is a bit cryptic.
moi? 
Could you be more specific about your concern?
essentially, as the rirs have resisted iana being the root ta, the arin
tal is necessary for anyone to validate anything which dependa on the
arin data. effectively you are requiring every router operator in the
world to sign your document. does not work.
randy
I'd wager what ARIN is going to do in said "Relying Party Agreement"
is tell RPs (i.e., *relying* parties) that they ought not rely to much
on the data for routing, and if they do and something gets hosed,
ARIN's not at fault -- but I'll wait to read the actual agreement
before speculating more.
that too is my *speculation*. which would be interesting, as accurate
primary data is arin's primary responsibility. but anyone who has
looked at any of the rirs' data seriously needed a strong stomach.
randy
If a relying party's use of PKI infrastructure legally equated to
acceptance of the relying party agreement (RPA), then having an
explicit record of acceptance of the RPA would not be necessary.
Alas, it does not appear possible to equate use of PKI certificates
with agreement to the associated RPA (and some might argue that this
is a feature, as some folks would not want to be legally bound to an
agreement which they did not explicitly review and accept.)
FYI,
/John
John, Randy:
I'm confused. Are you saying that unlike a whois lookup, I'll need a
contract with ARIN to look up and validate someone else's RPKI
certificate?
Would you clarify which parts of RPKI I need a contract with ARIN to
do and which parts I do not?
Thanks,
Bill Herrin
If a relying party's use of PKI infrastructure legally equated to
acceptance of the relying party agreement (RPA), then having an
explicit record of acceptance of the RPA would not be necessary.Alas, it does not appear possible to equate use of PKI certificates
with agreement to the associated RPA (and some might argue that this
is a feature, as some folks would not want to be legally bound to an
agreement which they did not explicitly review and accept.)
do you have a r&d group devoted to how much you can delay, damage, warp,
half-assed implement, ... rpki? look around you at the real world, the
other rirs (especiall ripe/ncc), etc. the only part of it where arin
seems to be doing a serious job is bs generation. thanks.
randy
Good morning Randy -
Are you indicating that RPKI services should be offered without any
RPA (and/or CPS) at all, or that these agreements should legally
adhere without explicit agreement? There is an statement expressing
that CPS or RPA might benefit from the latter treatment in section
3.4 of the Internet PKI framework (RFC 3647), but it does not actually
hold legally true at the present time. If you have more insight or
clarity on this matter, it would be most welcome.
Thanks!
/John
John Curran
President and CEO
ARIN
Good morning Randy -
it is late afternoon
Are you indicating that RPKI services should be offered without any
RPA (and/or CPS) at all, or that these agreements should legally
adhere without explicit agreement? There is an statement expressing
that CPS or RPA might benefit from the latter treatment in section
3.4 of the Internet PKI framework (RFC 3647), but it does not
actually hold legally true at the present time. If you have more
insight or clarity on this matter, it would be most welcome.
does arin run an irr instance? how much legal bs have you wrapped
around it?
randy
Good morning Randy -
it is late afternoon
Indeed... that may contribute significantly to the difference in
perspective. In the US, little details such as legal structures
often take on greater importance than would be otherwise warranted.
Are you indicating that RPKI services should be offered without any
RPA (and/or CPS) at all, or that these agreements should legally
adhere without explicit agreement? There is an statement expressing
that CPS or RPA might benefit from the latter treatment in section
3.4 of the Internet PKI framework (RFC 3647), but it does not
actually hold legally true at the present time. If you have more
insight or clarity on this matter, it would be most welcome.does arin run an irr instance?
Yes.
how much legal bs have you wrapped around it?
If we were establishing it today, I do not know what, if any, legal
machinations would be needed. This is similar to RFCs, which were
published first without any preamble but now have significant legal
structure at the front.
FYI,
/John
John Curran
President and CEO
ARIN