This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/anti-abuse-wg@ripe.net/
[anti-abuse-wg] WHOIS (AS204224)
- Previous message (by thread): [anti-abuse-wg] WHOIS (AS204224)
- Next message (by thread): [anti-abuse-wg] WHOIS (AS204224)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Ronald F. Guilmette
rfg at tristatelogic.com
Wed Nov 4 23:31:33 CET 2015
In message <20151103134248.GE47126 at cilantro.c4inet.net>, "Sascha Luck [ml]" <aawg at c4inet.net> wrote: >On Tue, Nov 03, 2015 at 02:28:03PM +0100, David Hofstee wrote: >>In that line of thought: I would like email validation on a >>regular basis. There are so many email addresses that do not >>work properly (what then is the sense of registering invalid >>data?). > >There are LIRS that register many thousands of objects. Even >small LIRs can have many hundreds. Is the idea that they employ >someone full-time to solve captchas for the NCC (another idea >from this discussion)? > >Frankly, I'd rather have the spam, at least I can filter that. This seems to be a compltely valid question/point/argument. I'm frankly not sure how the idea of using CAPTCHAs even got mixed up in all this. I have trouble understanding how CAPTCHAs would be either necessary or useful in this context. (Maybe someone can enlighten me.) I am laboring under a huge disadvantage because, to be honest, I don't even understand the _current_ process... and that's probably the basis for my befuddlement about CAPTCHAs. Hos is an ORG-*-RIPE record currently created? Who creates it? In my own idealized version of future reality, which I freely admit may bear no resemblence to either current practice or even future possibility, the party that needs to have a specific ORG-*-RIPE record would start by creating an account someplace... maybe, you know, like at www.ripe.net or something. The party who needs the record would be the party who the record will represent. So if "Vladimir's Tool and Die Company" had reason to need an ORG- record, Vladimir himself, *not* his LiR, would start by creating an account someplace. Once he had that, then, while he's logged into that account, Vladimir would poke some button which would begin the process of creating the ORG record. He would then be asked to fill in a form with his contact details... name, company name, address, phone, e-mail. He would do this and then poke the submit button. Not long after that Vlad would get an automated phone call telling him that his magic cookie is 734926. Now... and this is the important part... WHILE HE IS STILL LOGGED IN, Vlad would poke some button that says "Validate", whereupon he would be presented with a really simple web form containing only a single small text entry box. Valdimir would put his magic cookie into the box and then poke the submit button. That would complete the validation. In this scenario, there is absolutely no need for any CAPTCHAs. Hypothetical attackers who might try to brute-force the magic cookie wouldn't ever even get the chance to even try, because they would have to be logged on to Vlad's account... using Vlad's login credentials... before they would even get to the screen containing the form where one enters the magic cookie. So, um, what am I missing? Regards, rfg
- Previous message (by thread): [anti-abuse-wg] WHOIS (AS204224)
- Next message (by thread): [anti-abuse-wg] WHOIS (AS204224)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]