This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/address-policy-wg@ripe.net/
[address-policy-wg] identity verification for individuals holding Internet number resources
- Previous message (by thread): [address-policy-wg] identity verification for individuals holding Internet number resources
- Next message (by thread): [address-policy-wg] identity verification for individuals holding Internet number resources
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
David Monosov
davidm at futureinquestion.net
Wed Feb 26 00:42:43 CET 2014
Dear address-policy-wg, Jim, On 02/25/2014 11:49 PM, Jim Reid wrote: > On 25 Feb 2014, at 22:07, Carsten Schiefner <ripe-wgs.cs at schiefner.de> wrote: > >> what Richard said: what is good enough for (German) banks to e.g. open an account, should be sufficient for the NCC as well, me thinks. > > The problem with that Carsten is it doesn't scale. What's good enough to open a bank account in Germany might not be good enough to open one elsewhere. Or vice versa. It will be verging on the impossible for the NCC to keep track of all that across the NCC's service region and navigate a path through that maze which is compatible with national law across every jurisdiction. > > Assuming that "whatever's good enough for a bank account" is or should be the criteria to apply here seems disproportionate and unreasonable too. > > I'm not sure there's a justifiable case for the NCC to hold copies of passports and what have you AT ALL. Or verifying the bona fides of those documents either. > > It seems to me that it should be good enough for the NCC to know that some chunk of number resources were allocated to an individual called Mickey Mouse of Eurodisney and not a Donald Duck (say) at the same postal address. In other words, the NCC has a very strong certainty of knowing which resources were allocated to whom but it doesn't need to have the same degree of certainty that the resource holder is who they claim to be. IMO all that matters should be the NCC can establish which M. Mouse really is the resource holder, regardless of what names and numbers are on the official identity documents for whoever claims to be that M. Mouse, assuming such documents exist and are genuine. That would appear to be just a variation on the problem of dealing with number resources that were allocated to long-dead LIRs or others that no longer have timely, accurate database entries. > > PS: Apologies for using a meaningful Subject: header. > There was a time when the last 'R' in 'RIR' stood for 'Registry', and as such the function of RIPE NCC was not profoundly different from the function of a wedding gift registry - convenient means to reduce the embarrassment of a household opening two packages containing two identical toasters when unwrapping gifts. Today, the last 'R' in 'RIR' is silent, and appears in the minds of some to have been replaced with 'A' for 'Authority'. This is an unfortunate, and I believe, largely unintended development. It appears to me from Nick's last e-mail that there is an idea circulating out there that the current operational practice is the consequence of attempting to fulfill a set of criteria which is necessary to give some legal weight to the process of resource certification, as an obvious and logical extension of the RPKI efforts. I don't see any benefit to the RIPE NCC drowning in an escalating bureaucratic horror conjured out of externally placed requirements (whether they are borrowed from the EU e-Commerce directive, or elsewhere), performing mysterious document authentication rituals for the purpose of issuing a certificate of dubious worth, but which in turn is fully compliant with some external set of legal requirements. Wearing my professional hat for a moment, I certainly am not paying LIR fees to subsidize the transition of the RIPE NCC into the next VeriSign or Thawte as a general purpose certificate authority, subject to all the environmental pressures such authorities find themselves exposed to. To me, RPKI, if done at all (and that is a big "if"), is a technical solution; The "strength" of the input, in terms of identity verification (and the operational procedures which are acceptable to that end) are to be determined ad-hoc by the community through the policy process, and strengthened or loosened as needed to meet policy goals. We need to stop and consider if RPKI, by necessity, indeed requires a transition from Internet "Registries" to Internet "Authorities", with all that entails - and if this is something we are willing to embrace. This isn't an introduction of a new service into a RIR's catalog, this is a paradigm shift. One which we need to concretely address in order to be able to hold a meaningful discussion as to which operational practices are or aren't necessary, and toward what goal.
- Previous message (by thread): [address-policy-wg] identity verification for individuals holding Internet number resources
- Next message (by thread): [address-policy-wg] identity verification for individuals holding Internet number resources
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]