Re: ARIN's RPKI Relying agreement

[Rob Seastrom <rs () seastrom com>]

Bill Woodcock <woody () pch net> writes:

> > On Dec 4, 2014, at 7:35 AM, Andrew Gallo <akg1330 () gmail com> wrote:
> >
> > In my informal conversations, what I got was that lawyers read the
> > agreement, said 'no, we wont sign it' and then dropped it.  If
> > specific legal feedback isn't making it back to ARIN, then we need
> > to start providing it,
>
> All the specific legal feedback I’ve heard is that this is a
> liability nightmare, and that everyone wants ARIN to take on all the
> liability, but nobody wants to pay for it.  Are you hearing
> something more useful than that?

The way the RPA is worded, ARIN seems to be attempting to offload all
the risk to its member organizations.

Anything that ARIN does has some degree of risk associated with it.
Twice a year we host parties where alcohol is served.  That's a risky
endeavor on all sorts of ways - at least we're typically taking buses
to and from the event so we aren't driving.  I have heard it asserted
the board is unwilling for the organization to shoulder even that
level of risk as part of providing RPKI.  As a board member, can you
speak to this?

Whether this extreme level of risk aversity is a matter of mistaken
priorities (putting the organization itself ahead of accomplishing the
organization's mission) or a way of making sure that we stop wasting
money on RPKI due to demonstrable non-uptake is left as an exercise to
the reader.

You can infer from the last statement that I would applaud cutting our
losses on RPKI.  The quote on slide 23 of Wes' deck about replacing
complex stuff like email templates with simple, easy to understand
public key crypto was mine.  If you can't get people to play ball
nicely with client filtering, IRR components, etc. where the bar to
entry is low, who can _possibly_ say with a straight face that we can
get people to embrace RPKI?

To the usual suspects: sorry to call your kid ugly.  Don't hate the messenger.

-r