[anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox")

Hi Nick, all,

I was waiting a few days because I though it will be easier wait for most of the participants to be able to react and then try to summarize and respond to all the comments in a single email.

I'm going to try to do it anyway with as fewer emails as I can. This means trying to avoid repeating myself, in the interest of everyone, but if you feel that I'm missing anything which is key, please, let me know.

I would suggest to wait a couple of hours, so I stop replying in order to ask something that I will be replying already in minutes ...

So ... My responses below, in line, as [Jordi]
 
 

El 28/4/20 21:28, "anti-abuse-wg en nombre de Nick Hilliard" <anti-abuse-wg-bounces at ripe.net en nombre de nick at foobar.org> escribió:

    Petrit Hasani wrote on 28/04/2020 15:01:
    > A new version of RIPE policy proposal, 2019-04, "Validation of
    > "abuse-mailbox"", is now available for discussion.

    The updated version of this policy proposal is here:

    > https://www.ripe.net/participate/policies/proposals/2019-04/draft

    The proposal has the following problems, each of which would be 
    sufficient reason it its own right to reject the proposal:

    > and must not force the sender to use a form.

    It's not the job of the RIPE NCC to tell its members how to handle abuse 
    reports, and it is beyond inappropriate for this working group to expect 
    the RIPE NCC to withdraw numbering resources if member organisations 
    don't comply with an arbitrary policy which forces the use of SMTP email 
    like this.

[Jordi] The job of the RIPE NCC is to implement the policies agreed by the community. Different folks may consider different pieces of all of our policies as "inappropriate" or "arbitrary" and the goal is to find a point in the middle, which is what we call consensus. I believe is perfectly understandable the need to avoid using manual forms which don't follow a single standard, which means extra work for *everyone*.

    > [...] is present and can receive messages at least every six months*.
    > If the validation fails, the RIPE NCC
    and:

    > *The RIPE NCC may change the validation period depending on the level
    > of accuracy of the contacts. For example, switching from six-month to
    > one-year period once contact accuracy has improved.

    This addition proposes to micromanage the RIPE NCC even further. 
    Arbitrary time-scales like this are operational details which have no 
    place in a well-thought-out policy.

[Jordi] The actual policy has a bigger level of micro-management, by setting one year and not allowing the NCC to change that. I think it is much better to explicitly allow it. One alternative, I will be fine with that, is not define the time at all, and let the NCC to adapt it to the needs. Would you thing this is more appropriate?

    > This validation process will not check how the abuse cases are
    > processed. The community should escalate/report back to the RIPE NCC,
    > so anonymised statistics can be collected and periodically
    > published.

    > However, the community should report any situation to the RIPE NCC,
    > which can provide (anonymous) periodical statistics to the community,
    > which can take further decisions about that.

    This proposes that the RIPE NCC becomes an abuse reporting clearinghouse 
    based on unsubstantiated community gossip.  This is inappropriate in 
    many different ways.

[Jordi] What I'm asking here is to make sure that we have stats. I'm not changing what is an actual practice. You can always report to *any* RIR, what you think is wrong and if you're a good internet citizen, you should do that. I'm happy if you believe that my wording is not good, and we agree on that goal, to find an alternative one. Any suggestion?

    > It should be clear that the policy intent is not to look into how the
    > abuse mailbox is monitored or how abuse cases are handled.

    It's difficult to take this seriously when the intent of most of the 
    rest of the text in the proposal is about using the RIPE NCC to monitor 
    how abuse cases are handled and to ensure that the abuse mailbox is 
    monitored.

[Jordi] I can't agree here. If you compare the different versions, you will see that I've taken in consideration the inputs on this and removed lots of text that were considered as telling the resource holders how to do it. The proposal no longer looks if you have a person, a robot, or whatever to monitor de abuse mailbox, or if you ignore the cases.

    The proposal is self-contradictory, intrusive into NCC membership 
    business processes and there is no compelling reason to believe that the 
    proposal will end up reducing the amount of abuse on the internet.

[Jordi] Again, the proposal is trying to ensure that we have stats. Then we, as a community, can decide if we need to do anything or not. I don't think this is intrusive at all and if we compare with other policies, that also tell us how you do the things, because many things related to how your get and manage resources, keep the database updated, etc., at the end, clearly have some impact in your processes as a business.


    In addition, all of these problems were identified in previous versions 
    of the proposal, i.e. none of them has been resolved and because of 
    that, there is no reason to think that this version is any more likely 
    to reach consensus than any of the previous versions.

    The proposal needs to be abandoned.

    Nick





**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.