This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/anti-abuse-wg@ripe.net/
[anti-abuse-wg] WHOIS (AS204224)
- Previous message (by thread): [anti-abuse-wg] WHOIS (AS204224)
- Next message (by thread): [anti-abuse-wg] WHOIS (AS204224)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Sascha Luck [ml]
aawg at c4inet.net
Wed Nov 4 19:42:11 CET 2015
On Wed, Nov 04, 2015 at 06:17:10PM +0100, denis wrote: >That may well be right, but if the sponsor cannot understand the >language of the resource holder the validation may not be very >effective. The price you pay for a globalised society. I can see your point but this isn't something you can prevent par ordre du mufti. Besides, what if the only one in the company who speaks English leaves? >I never mentioned email or majority. 'Some' people I have talked >to at RIPE Meetings have agreed with me. The majority will not >even talk about it. Well, they may agree privately but at the end of the day they probably vote the interests of their employer. It happens. >>1) All resource holders are presumed to be bad actors and all >>of their data must be kept in a database, their correctness to >>be strictly enforced. > >That seems to be the basis of this whole thread....not my >assumption Oh, no, I don't want to accuse you personally of this assumption! This entire topic is being discussed on this assumption and *that* is what I take issue with. For the record, in my experience: - The NCC is doing the job assigned to it by relevant policy fairly, justly and to the best of its abilities. - The *vast* majority of its members are perfectly law-abiding LIRs who only want to go about their business. - The procedures to deal with them are generally sufficient A few people or companies who act in bad faith do not change this fact and there is no reason to put the entire membership under general suspicion and waste its time and fees with elaborate data collection / verification schemes. In the absence of any hard evidence to the contrary (beyond one or two suspicious cases) *that* is the basis on which this discussion should be maintained. >I actually have some very strong views on making parts of the >data in the RIPE Database private, but that is another >proposal... Well. It is on-topic insofar as I could live with more data collection *if* that data were properly protected. >>The very idea that someone might use this data for nefarious >>purposes is obviously farcical. > >You have a very negative and misguided view of what I am saying. Again, not an attack on you but of the prevailing opinion that the data in the ripedb is only used by "good" people for "good" purposes... If these show up in a reply to you it's only because it's a good plce, dialectically. >First of all I never said anything about personal data. Maybe >you have not heard of the concept of business data. Maybe also Many resource holders are persons. Many more people involved somehow with the management of resources are persons. Besides, even business data is somewhat sensitive. Where else outside the LIR/RIR world do businesses have to maintain all information about all of their business relationships in a public database? >you have never had problems trying to contact people regarding >resources in the RIPE Database. The 2007-01 policy to contact >all resource holders took about 7 years to implement. I suspect >many of them are uncontactable again by now. the sponsoring-org object is very helpful with that. Admittedly I was against it but it has shown to be very useful now that it is deployed. >The complexity of this database schema allows for many ways to >hide yourself. By manipulating the relationship between PERSON, >ROLE, MNTNER, ORGANISATION objects and building complex >references and chains of objects it can become very difficult to >find who to contact. Do you realise you can make a business out >of a MNTNER object? Yes. I do. I'm mntner or co-mntner on a few objects. > If you 'own' the MNTNER object you can >provide a service to other people. You put the password of some >anonymous person into your MNTNER and this anonymous person can >then maintain resources. As the 'owner' of the MNTNER you can >claim you have nothing to do with the resource. You are simply >providing a service to your customers. Yes. And what is wrong with that? All the mntner object does is grant access to change a ripedb object. It says nothing about who operates a resource or what they are doing with it. The reason I have mntner on a few objects is that the resource holder neither want nor are able to deal with the ripedb and as backup so the resource stays maintainable in the inevitable event of the other mntners losing their password. This does not make me responsible for what this resource holder or their customers do. > By creating a new MNTNER >for each customer only they (and you) can manage their data Er, isn't that the *point* of the mntner object? Who else should be able to besides the NCC? (and they are) > You try contacting that resource holder!! tech c, admin-c, abuse-c... > The RIPE NCC and maybe the sponsoring LIR knows who it is, but > no one else does. Nobody else NEEDS to know. If the NCC knows and the sponsoring-org knows, it is contactable. If they won't talk to you, get on to the NCC. If they don't talk to them either, they are going to be deregistered anyway. >implementation of personalised auth and dropping the MNTNER >object would solve this issue of anonymity. Unfortunately the >watered down version of my original plan being offered now does >not go far enough. This much anonymity is required. I have several customers, why is there a need that, a) they know of each other b) every other randomer on the Internet knows whom I work for? And, yes, a different mntner for every object is a possibility but it's unmanageable and really makes things much harder than they need to be. >My main point was the chain of trust for resource holders and >resource managers. Also being contactable does not mean personal >contact data must be displayed to the public. There are many >ways to be contactable. But few people are even willing to >discuss possibilities when it comes to changing the data model. Maybe because it has served us reasonably well over the years, it's a massive effort to completely change it and it's still a damn sight better than most other RIRs' databases. rgds, Sascha Luck
- Previous message (by thread): [anti-abuse-wg] WHOIS (AS204224)
- Next message (by thread): [anti-abuse-wg] WHOIS (AS204224)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]