redistribution of the ARIN TAL

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

redistribution of the ARIN TAL

Marco d'Itri
ARIN believes that they have a right to limit distribution of this RSA
public key (used for verification of routing security):

https://www.arin.net/resources/rpki/arin-rfc7730.tal

(This is basically an X.509 subjectPublicKeyInfo, which can be parsed
with openssl asn1parse.)

And they are arguing that people cannot download this file from
a well-known location without first agreeing to some conditions.

Does everybody agree that this is bullshit and that we can distribute
this data in Debian packages as much as we like?

Let's assume that the package maintainer has received the TAL file
anonymously by email, so there is no issue of actually entering in
a contract with ARIN.

(Please Cc: me on replies.)

--
ciao,
Marco

signature.asc (673 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: redistribution of the ARIN TAL

Walter Landry-4
Marco d'Itri <[hidden email]> writes:
> ARIN believes that they have a right to limit distribution of this RSA
> public key (used for verification of routing security):
>
> https://www.arin.net/resources/rpki/arin-rfc7730.tal

I can see that URL without agreeing to anything.  So the only
restrictions on redistribution I can think of would be due to copyright.

> (This is basically an X.509 subjectPublicKeyInfo, which can be parsed
> with openssl asn1parse.)
>
> And they are arguing that people cannot download this file from
> a well-known location without first agreeing to some conditions.
>
> Does everybody agree that this is bullshit and that we can distribute
> this data in Debian packages as much as we like?

This feels very similar to distributing HD-DVD keys [1].  The legal
problem with HD-DVD keys is the US DMCA.  It sounds like that would not
be an issue here.  ARIN might think that they can restrict the
distribution of this file via copyright, but it seems like a pretty
clear case of fair use.

As always, ftpmaster is the one who makes the actual decision.

Cheers,
Walter Landry

[1] https://lists.debian.org/debian-devel/2007/05/msg00043.html

Reply | Threaded
Open this post in threaded view
|

Re: redistribution of the ARIN TAL

Paul Wise via nm
In reply to this post by Marco d'Itri
On Fri, Feb 15, 2019 at 7:00 PM Marco d'Itri wrote:

> And they are arguing that people cannot download this file from
> a well-known location without first agreeing to some conditions.

Do you have any info on the conditions?

> Does everybody agree that this is bullshit and that we can distribute
> this data in Debian packages as much as we like?

IANAL, but it doesn't seem copyrightable to me. I guess there could be
other laws affecting this though.

> (Please Cc: me on replies.)

Done.

--
bye,
pabs

https://wiki.debian.org/PaulWise

Reply | Threaded
Open this post in threaded view
|

Re: redistribution of the ARIN TAL

Daniel Hakimi
Are they talking about redistribution, or access? Are they saying that we're not allowed to distribute the file ourselves, or are they saying that we're not allowed to download the file without agreeing to the terms?

We might need to agree to their terms of use to use their website. This makes sense -- having every Debian user access their website regularly via some background script would probably have annoying bandwidth costs for them. In the worst case, that could amount to a breach of the CFAA (in the US).

There might also be reasons we can't redistribute the file ourselves, but those are less likely to be a problem -- I would agree that this file probably isn't copyrightable.

Regards,

Daniel J. Hakimi
B.S. Philosophy, RPI 2012
B.S. Computer Science, RPI 2012
J.D. Cardozo Law 2015


On Sat, Feb 16, 2019 at 12:38 AM Paul Wise <[hidden email]> wrote:
On Fri, Feb 15, 2019 at 7:00 PM Marco d'Itri wrote:

> And they are arguing that people cannot download this file from
> a well-known location without first agreeing to some conditions.

Do you have any info on the conditions?

> Does everybody agree that this is bullshit and that we can distribute
> this data in Debian packages as much as we like?

IANAL, but it doesn't seem copyrightable to me. I guess there could be
other laws affecting this though.

> (Please Cc: me on replies.)

Done.

--
bye,
pabs

https://wiki.debian.org/PaulWise

Reply | Threaded
Open this post in threaded view
|

Re: redistribution of the ARIN TAL

Ben Finney-3
In reply to this post by Marco d'Itri
Marco d'Itri <[hidden email]> writes:

> ARIN believes that they have a right to limit distribution of this RSA
> public key (used for verification of routing security):
> […]
> And they are arguing that people cannot download this file from
> a well-known location without first agreeing to some conditions.

Where can we read those claims and the specific conditions they wish to
apply?

> (Please Cc: me on replies.)

Done.

--
 \        “Absurdity, n. A statement or belief manifestly inconsistent |
  `\            with one's own opinion.” —Ambrose Bierce, _The Devil's |
_o__)                                                Dictionary_, 1906 |
Ben Finney <[hidden email]>

Reply | Threaded
Open this post in threaded view
|

Re: redistribution of the ARIN TAL

Daniel Hakimi
In reply to this post by Walter Landry-4
I just looked up their terms of service, and I don't see any problem at all...

Marco, can you tell us what they actually said, and in what context? Is there an email you can forward?

Regards,

Daniel J. Hakimi
B.S. Philosophy, RPI 2012
B.S. Computer Science, RPI 2012
J.D. Cardozo Law 2015

On Sat, Feb 16, 2019, 03:35 Landry, Walter <[hidden email] wrote:
Marco d'Itri <[hidden email]> writes:
> ARIN believes that they have a right to limit distribution of this RSA
> public key (used for verification of routing security):
>
> https://www.arin.net/resources/rpki/arin-rfc7730.tal

I can see that URL without agreeing to anything.  So the only
restrictions on redistribution I can think of would be due to copyright.

> (This is basically an X.509 subjectPublicKeyInfo, which can be parsed
> with openssl asn1parse.)
>
> And they are arguing that people cannot download this file from
> a well-known location without first agreeing to some conditions.
>
> Does everybody agree that this is bullshit and that we can distribute
> this data in Debian packages as much as we like?

This feels very similar to distributing HD-DVD keys [1].  The legal
problem with HD-DVD keys is the US DMCA.  It sounds like that would not
be an issue here.  ARIN might think that they can restrict the
distribution of this file via copyright, but it seems like a pretty
clear case of fair use.

As always, ftpmaster is the one who makes the actual decision.

Cheers,
Walter Landry

[1] https://lists.debian.org/debian-devel/2007/05/msg00043.html

Reply | Threaded
Open this post in threaded view
|

Re: redistribution of the ARIN TAL

Marco d'Itri
In reply to this post by Paul Wise via nm
(Please Cc me on replies.)

On Feb 16, Paul Wise <[hidden email]> wrote:

> > And they are arguing that people cannot download this file from
> > a well-known location without first agreeing to some conditions.
> Do you have any info on the conditions?
Here they are:
https://www.arin.net/resources/rpki/tal.html

> IANAL, but it doesn't seem copyrightable to me. I guess there could be
> other laws affecting this though.
Contractual law would apply to entities downloading the TAL from the
ARIN web site, but I cannot see how they could apply to a Debian
maintainer who received anonymously the TAL by email...

Some background: https://pc.nanog.org/static/published/meetings/NANOG75/1900/20190219_Yoo_Rpki_Legal_Barriers_v1.pdf

--
ciao,
Marco

signature.asc (673 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: redistribution of the ARIN TAL

Paul Wise via nm
On Thu, Feb 28, 2019 at 6:36 AM Marco d'Itri wrote:

> Here they are:
> https://www.arin.net/resources/rpki/tal.html

For the benefit of the list archives, here is the text of the PDF:

https://www.arin.net/resources/rpki/rpa.pdf

AMERICAN REGISTRY FOR INTERNET NUMBERS, LTD.
RESOURCE CERTIFICATION RELYING PARTY AGREEMENT
YOU MUST READ AND ACCEPT THIS RESOURCE CERTIFICATION RELYING PARTY
AGREEMENT (THIS
“AGREEMENT”) BEFORE ACCESSING OR USING ANY ONLINE RESOURCE
CERTIFICATION PKI (“ORCP”)
SERVICES (AS DEFINED BELOW). IN CONSIDERATION OF ARIN PROVIDING YOU
WITH THE ABILITY TO USE
THE ORCP SERVICES, YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU DO
NOT AGREE TO THE
TERMS OF THIS AGREEMENT, DO NOT SUBMIT A QUERY OR OTHERWISE USE ANY
ORCP SERVICES.
1. PRELIMINARY MATTERS. The ORCP Services made available to You are
subject to the terms of this Agreement,
ARIN’s Certification Practice Statement for Resource Certification
(“ARIN CPS”), and other policies and procedures that
ARIN may adopt from time to time applicable to RPKI or any ORCP
Services (the “RPKI Policies”) that are or will be
published on ARIN’s Website. This Agreement, the ARIN CPS and the RPKI
Policies, each as may be modified from time
to time by ARIN as provided in this Agreement, are referred to
collectively as the “ORCP Service Terms.” The current
ORCP Service Terms may be found on ARIN’s Website at
http://www.arin.net. To the extent there is any conflict or
inconsistency between this Agreement and the ARIN CPS or any RPKI
Policies, this Agreement shall control.
Because of the necessary role that ARIN performs for the Internet
community, ARIN reserves the right, in its sole and
absolute discretion, to amend, supplement, restate or otherwise modify
any or all ORCP Service Terms at any time and
from time to time, including the right to implement new ORCP Service
Terms and/or make some or all ORCP Service
Terms obsolete (collectively, “ORCP Term Modifications”). ARIN will
post any ORCP Term Modifications on its Website
and at such time, they will constitute a part of the ORCP Service
Terms, be effective immediately, and be binding on You.
Your continued access or use of any ORCP Services thereafter
constitutes Your acceptance of such ORCP Term
Modifications.
2. DEFINITIONS.
“CA” means an entity duly authorized under the ARIN CPS to issue,
suspend, or revoke Certificates.
“Certificate” means a message that, at least, states a name or
identifies the issuing CA, identifies the subscriber via a
hash, contains the subscriber’s public key, identifies the
Certificate’s validity period, contains a Certificate serial number,
contains a listing of Internet Resource Number(s), and contains a
digital signature of the issuing CA.
“ORCP Services” means the validation of a Certificate, accessing or
using an ARIN or ARIN-affiliate database of
Certificate revocations, relying on any Certificate-related
information, or otherwise accessing, using or relying on a
Certificate, the ORCP (or any part thereof), and/or related services
provided pursuant to any ORCP Service Terms. In
connection with the ORCP Services, ARIN may provide you with a Trust
Anchor Locator (“TAL”).
“Relying Party” means an individual, entity or other organization that
relies on a Certificate or the information contained in
a Certificate, or otherwise accesses or uses any ORCP Services.
3. TERM AND TERMINATION. ARIN provides the ORCP Services and, in its
sole and absolute discretion, may cease
providing any or all ORCP Services and terminate this Agreement at any
time for any reason or no reason. This
Agreement becomes effective when You first submit a query to search
for a Certificate or otherwise use any ORCP
Services and shall remain in effect until You cease to use all ORCP
Services or until such time that ARIN terminates this
Agreement. The defined terms in this Agreement and the following
sections of this Agreement will survive any termination
of this Agreement and remain enforceable: Sections 4, 5, 6, 7 and 8.
4. INFORMED DECISION. You represent and warrant that You are
knowledgeable in the relevant subject area and
possess sufficient information to make an informed decision as to Your
use of the ORCP Services and Your reliance on
the information contained in a Certificate. You acknowledge and agree
that neither ARIN nor any CA is responsible for
assessing the appropriateness of use of the ORCP Services (or any part
thereof). You acknowledge and agree You are
solely responsible for deciding whether or not to rely on or otherwise
use any ORCP services, including the information in
a Certificate, and ARIN assumes no liability or responsibility for
Your or any other Relying Party’s decision, use or other
action in connection with the ORCP Services (or any part thereof).
You acknowledge and agree that RPKI is an emerging security framework
and with it comes associated risks, including
theft or potential compromise of a private key, which may or may not
be detected, and the possibility of use of a stolen or
compromised private key to forge an unauthorized digital signature.
You acknowledge and agree that ARIN does not
provide any assurance that the ORCP Services (or any part thereof)
will be free from risks, hackers, perpetrators or others
who may seek to misappropriate or engage in improper conduct with
respect to the ORCP Services (or any part thereof).
You acknowledge and agree that neither the ORCP Services (or any part
thereof) nor the Certificate is designed,
intended, or authorized for use in connection with equipment in
hazardous circumstances or for uses requiring fail-safe
performance, including uses in connection with the operation of
nuclear facilities, aircraft navigation or communication
systems, air traffic control systems, or weapons control systems,
where failure could lead to death, personal injury, or
severe environmental damage.
You represent and warrant that: (i) You have the full power and
authority to enter into and perform Your obligations under
this Agreement; (ii) the assent to and performance by You of Your
obligations under this Agreement do not constitute a
breach of or conflict with any other agreement or arrangement by which
You may be bound, or any applicable laws,
regulations, or rules; and (iii) this Agreement constitutes a legal,
valid, binding, and an executory obligation, enforceable in
accordance with its terms.
5. PROHIBITED CONDUCT. You shall not, directly or indirectly, use or
attempt to use the ORCP Services (or any part
thereof) or any of its related content to engage in any activity: that
is not permitted by the ORCP Service Terms or
otherwise is a violation of any law; that violates the rights of any
third party; that transfers or in any way gives any other
party Your access to or use of any ORCP Services; that would
compromise the security or operation of any ORCP
Services; or that would create any modifications or derivative works
of any ORCP Services or any of its related content.
Further, You shall not use, copy, link to, rebroadcast or disclose the
ORCP Services (or any part thereof) or any of its
related content, except as permitted by the ORCP Service Terms. You
shall not, directly or indirectly, disclose, share,
divulge, link to, rebroadcast, provide access to or in any other way
make available the TAL to any third party, except as
permitted by the ORCP Service Terms. You may make available to any
third party the information made available through
the ORCP Services so long as such use and disclosure is solely for
informational purposes, namely reporting,
educational, summary or statistical purposes, and such use and
disclosure of the information is not in a readily machine-
readable format.
6. DISCLAIMERS, EXCLUSIONS, AND LIMITATIONS.
(a) DISCLAIMER OF WARRANTIES. THE ORCP SERVICES, INCLUDING THE
CERTIFICATE, ARE PROVIDED ON
AN “AS-IS” BASIS WITH ALL RISKS AND FAULTS ASSOCIATED THEREWITH. ARIN MAKES NO
REPRESENTATION, WARRANTY OR COVENANT OF ANY KIND WITH RESPECT TO ANY
CERTIFICATE OR ORCP
SERVICES, WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING ANY IMPLIED
WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, SATISFACTION OF
REQUIREMENTS, NON-
INFRINGEMENT, OR ANY WARRANTY ARISING OUT OF A COURSE OF PERFORMANCE,
DEALING, TRADE OR
USAGE. ANY AND ALL REPRESENTATIONS, WARRANTIES AND COVENANTS ARE
HEREBY DISCLAIMED BY
ARIN AND WAIVED BY YOU. WITHOUT LIMITING THE GENERALITY OF THE
FOREGOING, ARIN DOES NOT
REPRESENT, WARRANT OR COVENANT THAT ANY ORCP SERVICES, CERTIFICATE, OR
ANY ACCESS OR USE
THEREOF WILL (i) BE UNINTERRUPTED, (ii) BE FREE OF DEFECTS,
INACCURACIES, OR ERRORS, (iii) MEET
YOUR REQUIREMENTS, OR (iv) OPERATE IN THE CONFIGURATION OR WITH OTHER
HARDWARE OR
SOFTWARE YOU USE.
(b) EXCLUSION OF LIABILITIES AND DAMAGES. NOTWITHSTANDING ANYTHING TO
THE CONTRARY, ARIN WILL
NOT BE LIABLE TO YOU OR ANY THIRD PARTY, INCLUDING ANY OF YOUR CLIENTS
OR CUSTOMERS, FOR ANY
LIABILITIES AT LAW OR IN EQUITY OR FOR ANY DAMAGES, INCLUDING
CONSEQUENTIAL, INCIDENTAL,
INDIRECT, PUNITIVE, EXEMPLARY, OR SPECIAL DAMAGES (INCLUDING
LIABILITIES OR DAMAGES RELATING
TO LOST PROFITS, LOST DATA, OR LOSS OF GOODWILL) ARISING OUT OF,
RELATING TO, OR CONNECTED
WITH ANY ORCP SERVICES, ANY CERTIFICATE, OR OTHERWISE IN CONNECTION
THEREWITH, WHETHER
BASED ON CONTRACT, TORT, STATUTE, OR ANY CAUSE OF ACTION, EVEN IF YOU
ARE ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
(c) LIMITATION OF LIABILITY. IN NO EVENT, WHETHER BASED ON CONTRACT,
TORT, STATUTE, OR ANY CAUSE
OF ACTION, WILL ARIN’S LIABILITY TO YOU OR ANY THIRD PARTY, INCLUDING
ANY OF YOUR CLIENTS OR
CUSTOMERS, EXCEED ONE HUNDRED U.S. DOLLARS (US$100.00) IN THE AGGREGATE.
7. INDEMNIFICATION. You shall indemnify, defend, and hold harmless
ARIN and CAs and each of its respective parent
and subsidiaries, each of their respective predecessors, successors
and assigns, each of their respective employees,
representatives, agents, attorneys, advisors, trustees, directors,
officers, managers, and members from any and all
claims, demands, disputes, actions, suits, proceedings, judgments,
damages, injuries, losses, expenses, costs and fees
(including reasonable attorneys’ fees and expenses), interests, fines
and penalties of whatever nature (collectively,
“Claims”) asserted by a third party in connection with: (i) any access
or use of the ORCP Services (or any part thereof) by
You or other Relying Party permitted or authorized by You, including
any of Your customers or clients, or other persons
acting by, through, under or in concert with any of them
(collectively, “Your Associated Persons”); and/or (ii) any breach or
violation of any ORCP Service Terms by You or any of Your Associated
Persons. You shall keep ARIN informed of and
consult with ARIN in connection with the progress and handling of the
Claims. You shall not settle, compromise, or in any
other manner dispose of any Claim without the prior written consent of
ARIN. ARIN shall have the right to participate in
the settlement, compromise and/or disposition of any Claim.
8. MISCELLANEOUS PROVISIONS.
(a) Governing Law, Jurisdiction, Venue and Dispute Resolution. This
Agreement and the other ORCP Service Terms and
the parties’ performance shall be governed in all respects by, and
construed in accordance with, the laws of the
Commonwealth of Virginia and, as applicable, the United States of
America. In the event of any dispute that is not
resolved through cooperative settlement negotiations between the
parties, the parties shall submit any unresolved
disputes to binding and final arbitration to be held in Washington,
D.C. or as otherwise agreed upon in writing by the
parties in accordance with the rules of the American Arbitration
Association then in effect. Notwithstanding the foregoing
in this Paragraph, either party may bring an action before any court
having competent jurisdiction for a temporary
restraining order, preliminary injunction and/or other injunctive
relief to seek to maintain the status quo between the
parties pending resolution of the dispute(s) in accordance with the
terms of this Paragraph,
(b) Government Cooperation. ARIN shall have the right, without
liability to You, any Relying Party or any other third party,
to cooperate and comply with all applicable laws, statutes, rules, or
regulations and all government or judicial inquiries or
orders with respect to any access or use of the ORCP Services (or any
part thereof), including obtaining information from
ARIN regarding allegations of any prohibited conduct by You, any
Relying Party or other third party.
(c) Property Rights. ARIN retains all intellectual property rights
(including patent, trademark, copyright and trade secret
rights) in connection the ORCP Services (or any part thereof). Nothing
provided by ARIN in connection with the ORCP
Services (or any part thereof) constitutes a conveyance or transfer of
any ownership rights (whether real, personal, or
intellectual property rights) in the ORCP Services (or any part
thereof) to You or other Relying Party.
(d) Assignment. You may not assign or transfer, whether voluntarily or
by operation of law, this Agreement or any other
ORCP Service Terms, without ARIN’s prior written consent.
(e) Relationship of Parties. The relationship between the parties is
and will be that of independent contractors. No joint
venture, partnership, employment, agency, or similar arrangement is
created between the parties. Neither you nor any
other Relying Party has any right or power to act for or on behalf of
ARIN or to bind ARIN in any respect.
(f) Force Majeure. ARIN shall not be deemed in breach under any ORCP
Service Terms, nor shall ARIN be responsible
for any cessation, interruption, or delay in the performance of its
obligations under any ORCP Service Terms where such
failure of performance is the result of any force majeure event,
including earthquake, flood, fire, storm, natural disaster,
act of God, civil disturbances, war, terrorism, armed conflict, riots,
failure of contractors or subcontractors to perform, labor
strike, lockout, boycott, or acts of governmental authorities.
(g) Entire Agreement. This Agreement and the other ORCP Service Terms
(which are hereby incorporated by reference to
the extent they do not conflict with this Agreement) constitute the
entire understanding between the parties and replaces
and supersedes any and all prior and contemporaneous agreements and
understandings, whether oral or written, express
or implied, between the parties with respect to the ORCP Services (or
any part thereof).
(h) Amendment. Except as provided in Section 1 of this Agreement, no
amendment of any provision of this Agreement
shall be valid unless the same shall be in writing and authorized in
writing by ARIN, which writing specifically references
such as an amendment to this Agreement.
(i) Severability. If any provision of this Agreement is determined to
be illegal, invalid, or otherwise unenforceable by a
court or tribunal of competent jurisdiction, then to the extent
necessary to make such provision and/or this Agreement
legal, valid, or otherwise enforceable, such provision will be
limited, construed, or severed and deleted from this
Agreement, and the remaining portion of such provision and the
remaining other provisions hereof will survive, remain in
full force and effect, and continue to be binding, and will be
interpreted to give effect to the intention of the parties insofar
as possible.

--
bye,
pabs

https://wiki.debian.org/PaulWise

On Thu, Feb 28, 2019 at 6:36 AM Marco d'Itri <[hidden email]> wrote:

>
> (Please Cc me on replies.)
>
> On Feb 16, Paul Wise <[hidden email]> wrote:
>
> > > And they are arguing that people cannot download this file from
> > > a well-known location without first agreeing to some conditions.
> > Do you have any info on the conditions?
> Here they are:
> https://www.arin.net/resources/rpki/tal.html
>
> > IANAL, but it doesn't seem copyrightable to me. I guess there could be
> > other laws affecting this though.
> Contractual law would apply to entities downloading the TAL from the
> ARIN web site, but I cannot see how they could apply to a Debian
> maintainer who received anonymously the TAL by email...
>
> Some background: https://pc.nanog.org/static/published/meetings/NANOG75/1900/20190219_Yoo_Rpki_Legal_Barriers_v1.pdf
>
> --
> ciao,
> Marco



--
bye,
pabs

https://wiki.debian.org/PaulWise
http://bonedaddy.net/pabs3/

Reply | Threaded
Open this post in threaded view
|

Re: redistribution of the ARIN TAL

Paul Wise via nm
In reply to this post by Marco d'Itri
On Thu, Feb 28, 2019 at 6:36 AM Marco d'Itri wrote:

> Contractual law would apply to entities downloading the TAL from the
> ARIN web site, but I cannot see how they could apply to a Debian
> maintainer who received anonymously the TAL by email...

IANAL, so I wonder how one could be subject to a contract when
downloading a file that doesn't even require a click-through agreement
form?

--
bye,
pabs

https://wiki.debian.org/PaulWise

Reply | Threaded
Open this post in threaded view
|

Re: redistribution of the ARIN TAL

Paul Wise via nm
On Thu, Feb 28, 2019 at 11:17 AM Paul Wise wrote:
> On Thu, Feb 28, 2019 at 6:36 AM Marco d'Itri wrote:
>
> > Contractual law would apply to entities downloading the TAL from the
> > ARIN web site, but I cannot see how they could apply to a Debian
> > maintainer who received anonymously the TAL by email...
>
> IANAL, so I wonder how one could be subject to a contract when
> downloading a file that doesn't even require a click-through agreement
> form?

So far we have come up with possible DMCA & contractual law issues
related to redistributing this file. I think we should get actual
lawyers on the case to figure this out and I suggest you contact the
DPL in order to proceed with that, IIRC Debian has access to lawyers
at Conservancy or the SFLC, I forget which.

--
bye,
pabs

https://wiki.debian.org/PaulWise

Reply | Threaded
Open this post in threaded view
|

Re: redistribution of the ARIN TAL

Florian Weimer
In reply to this post by Marco d'Itri
* Marco d'Itri:

> ARIN believes that they have a right to limit distribution of this RSA
> public key (used for verification of routing security):
>
> https://www.arin.net/resources/rpki/arin-rfc7730.tal

Do they actually do that?  Prevent redistribution?

If so, I can't find where.

> Does everybody agree that this is bullshit and that we can distribute
> this data in Debian packages as much as we like?

I think this is modeled after past relaying party agreements pretty
much all the browser CAs used.

Here's a current example:

<https://www.digicert.com/legal-repository/DigiCertRelyingPartyAgreement.pdf>

I think these terms are rather benign because as far as I can see,
they do not try to control redistribution of key material (something
that has been attempted in the past).