[anti-abuse-wg] [policy-announce] 2017-02 Review Phase (Regular abuse-c Validation)

Nick,

On 19/01/2018 17:26, Nick Hilliard wrote:
> Brian Nisbet wrote:
>> Given the NCC have repeatedly said that the ARC is not a suitable way to
>> validate the abuse contact and have proposed an alternative method,
>> supported by the ARC process, do you have any comment on the actually
>> proposed process?
> 
> Honestly, it's hard to tell.
> 
> After looking at the text from the "Validation method" section of the
> proposal, it looks like the RIPE NCC may be suggesting doing something
> like issuing an SMTP RCPT command to see if the mail server rejects the
> email address.  If this is the case, it is likely to provide plenty of
> false positives albeit no false negatives.  I.e. if it fails this test,
> then the email address is categorically not working, but if it passes
> this test, then there is no guarantee that the email address is working,
> for a very limited definition of the word.  Because of a lack of
> details, is not possible to tell if this is the actual method being
> suggested, but it is not incompatible with what is being proposed in the
> PP document.

I would suggest that seeking clarification from the NCC about the impact
analysis and proposed solution is a perfectly fine thing to do,
especially if people are uncertain, so hopefully they can clarify
further here.

> What's absent from this process is any mechanism to link the email
> address to the sorts of metrics and expected results described in
> presentations given by the authors, e.g. the presentation given in the
> RIPE75 AAWG session.

I will leave that to the authors.

> What's also absent is a clear statement that the email address which has
> been "validated" isn't necessarily connected to anyone in the
> organisation handling abuse or that it may not actual function at all in
> any meaningful way.

Well, this is where we keep on coming back to in this conversation.
There are clearly those who wish for the validation to go much further
and others who do not wish it to happen at all. Threading that line is
proving tricky. I, personally, do not see how the ARC could scale for
this process.

> This isn't intended to rubbish what the RIPE NCC are proposing: they've
> been asked to do something which is fundamentally almost impossible to
> do in a meaningful way, and have suggested that by redefining the
> problem into something which can largely automated, that a practically
> impossible task can be turned into something feasible.
> 
> The problem is that there is now a substantial mismatch between the
> stated aims of the policy proposal and the proposed validation method.

The stated aim of the proposal is:

"This proposal aims to give the RIPE NCC a mandate to validate
“abuse-c:” information, at least once a year, and to follow up in cases
where contact information is found to be invalid."

I take it in this instance you do not feel that the process as described
counts as validation? Or is it rather sufficient validation?

> I'm going to object to this version of the policy proposal too.  Partly
> on these grounds, and partly due to the observation that few, if any, of
> the substantial objections made by numerous people to version 1.0 have
> been resolved either.
> 
> If the latter needs fleshing out for the purposes of ensuring that these
> remain registered as formal unresolved objections, it would be helpful
> to know, because a bunch of these problems really haven't been addressed
> at all.

I'm not going to object to you rounding this information up, at all, but
I will obviously also be going through the discussion and it would be
useful to hear from others who objected as to their opinion of the new
version.

Thanks,

Brian
Co-Chair, RIPE AA-WG