[address-policy-wg] identity verification for individuals holding Internet number resources

Dear address-policy-wg, Jim,

On 02/25/2014 11:49 PM, Jim Reid wrote:
> On 25 Feb 2014, at 22:07, Carsten Schiefner <ripe-wgs.cs at schiefner.de> wrote:
> 
>> what Richard said: what is good enough for (German) banks to e.g. open an account, should be sufficient for the NCC as well, me thinks.
> 
> The problem with that Carsten is it doesn't scale. What's good enough to open a bank account in Germany might not be good enough to open one elsewhere. Or vice versa. It will be verging on the impossible for the NCC to keep track of all that across the NCC's service region and navigate a path through that maze which is compatible with national law across every jurisdiction.
> 
> Assuming that "whatever's good enough for a bank account" is or should be the criteria to apply here seems disproportionate and unreasonable too.
> 
> I'm not sure there's a justifiable case for the NCC to hold copies of passports and what have you AT ALL. Or verifying the bona fides of those documents either.
> 
> It seems to me that it should be good enough for the NCC to know that some chunk of number resources were allocated to an individual called Mickey Mouse of Eurodisney and not a Donald Duck (say) at the same postal address. In other words, the NCC has a very strong certainty of knowing which resources were allocated to whom but it doesn't need to have the same degree of certainty that the resource holder is who they claim to be. IMO all that matters should be the NCC can establish which M. Mouse really is the resource holder, regardless of what names and numbers are on the official identity documents for whoever claims to be that M. Mouse, assuming such documents exist and are genuine. That would appear to be just a variation on the problem of dealing with number resources that were allocated to long-dead LIRs or others that no longer have timely, accurate database entries.
> 
> PS: Apologies for using a meaningful Subject: header.
> 

There was a time when the last 'R' in 'RIR' stood for 'Registry', and as such
the function of RIPE NCC was not profoundly different from the function of a
wedding gift registry - convenient means to reduce the embarrassment of a
household opening two packages containing two identical toasters when unwrapping
gifts.

Today, the last 'R' in 'RIR' is silent, and appears in the minds of some to have
been replaced with 'A' for 'Authority'. This is an unfortunate, and I believe,
largely unintended development.

It appears to me from Nick's last e-mail that there is an idea circulating out
there that the current operational practice is the consequence of attempting to
fulfill a set of criteria which is necessary to give some legal weight to the
process of resource certification, as an obvious and logical extension of the
RPKI efforts.

I don't see any benefit to the RIPE NCC drowning in an escalating bureaucratic
horror conjured out of externally placed requirements (whether they are borrowed
from the EU e-Commerce directive, or elsewhere), performing mysterious document
authentication rituals for the purpose of issuing a certificate of dubious
worth, but which in turn is fully compliant with some external set of legal
requirements.

Wearing my professional hat for a moment, I certainly am not paying LIR fees to
subsidize the transition of the RIPE NCC into the next VeriSign or Thawte as a
general purpose certificate authority, subject to all the environmental
pressures such authorities find themselves exposed to.

To me, RPKI, if done at all (and that is a big "if"), is a technical solution;
The "strength" of the input, in terms of identity verification (and the
operational procedures which are acceptable to that end) are to be determined
ad-hoc by the community through the policy process, and strengthened or loosened
as needed to meet policy goals.

We need to stop and consider if RPKI, by necessity, indeed requires a transition
from Internet "Registries" to Internet "Authorities", with all that entails -
and if this is something we are willing to embrace. This isn't an introduction
of a new service into a RIR's catalog, this is a paradigm shift. One which we
need to concretely address in order to be able to hold a meaningful discussion
as to which operational practices are or aren't necessary, and toward what goal.