[anti-abuse-wg] WHOIS (AS204224)

Hi Roland,

> The old saying is "The best is the enemy of the good".  Validation and/or
> verification of RIPE WHOIS data can be improved, even though any system
> which attempts to do so most probably cannot be made foolproof.

Ok

> No.  You're still thinking in terms of constructing an iron-clad and
> absolutely foolproof system that utterly prevents all fraud.  I'm
> suggesting a system with vastly less ambitious goals, one which would
> simply check that the voice phone number for a given person or entity
> listed in the RIPE WHOIS db *isn't* simply disconnected, out-of-service,
> the number of a FAX machine, the number of a company or individual whose
> identity has been stolen, or the number of an unrelated brothel in
> Amsterdam.   That alone would be a vast improvement over the current
> status quo, I think.

Agreed

> Similarly, in the case of mailing addresses, either RIPE NCC or the LIRs
> could check the data base of one of the aforementioned service bureaus
> that serve that mailing industry, to see if the addresses in RIPE WHOIS
> records even exist.  A clever crook will still put in the address of
> some vacant lot somewhere, or maybe his local meat market or police
> station, but at least we wouldn't be looking at "123 Galaxy St., Mars,
> The Universe" and such utter nonsense as that.

NASA is going to be so disappointed ;)
But seriously: I agree

>> My apologies. I didn't mean to imply that accuracy of the RIPE DB is a
>> mere detail. That accuracy has been the reason behind quite a few
>> policies! I meant to say that policy doesn't contain implementation
>> details. The way a policy is implemented is left to the RIPE NCC. The
>> policy just says that contact information has to be up to date.
> 
> I want to understand.  Are you saying that RIPE NCC could unilaterally
> just decide to start performing phone verification of contact points
> listed in the WHOIS data base?

It probably would need a mandate from its members to approve the extra budget for implementing those checks etc. But I don't see why they couldn't.

> Even for amateur sleuths such as myself, every additional data point
> helps during an investigation.  The example of AS204224 is illustrative.
> If I knew for certain that someone had positively validated the phone
> number when that AS has been assigned in July, then I would also know,
> almost to a moral certainty, that the company itself, and not some
> identity thief, was the party engaged in the recent routing hanky
> panky.

Understood

> You are thinking about formal, government-held business records.  I myself
> am not.  Official government business records, when available, are helpful
> to investigations.  But if they aren't available, then they aren't, and
> that's all there is to it.  You work with what you have.

+1

> OK.  I promise not to attach too much value to a validated phone
> number.  Seriously, I agree with you that checking the phone number
> isn't a panacea, but it's better than nothing.

Glad we're agreeing :)

> I apologize.  You are correct,   That comment on my part was utterly
> uncalled for, and I would very much like to retract it.

Consider it retracted :)

> But I hope that you understand my sensitivity.

I do. Sometimes when discussing difficult subjects the wording can get a bit too strong. I can deal with that, and I know you have good intentions.

I now understand your ideas better, and understand that you are looking for a first step in improving the database accuracy. Not looking for a complete solution as I was :)  I think we reached the point where we should ask the RIPE NCC on their opinion on this and to see what they think is doable.

Cheers,
Sander