[anti-abuse-wg] Proposal: Publish effective users' abuse-c

Hi Ángel,

On Thu 20/Jan/2022 16:27:59 +0100 Ángel González Berdasco wrote:
> Alessandro Vesely wrote:
>> 
>> I propose that RIPE accepts abuse-c email addresses from verified effective 
>> users of a range of IP numbers, stores them in the database, and serves them in 
>> RDAP/ WHOIS queries besides the abuse-c addresses provided by the ISP.  Various 
>> automated methods can be adopted to allow an effective user to be verified; for 
>> example publishing an HTTP URL or a DNS entry.  Abuse contacts added that way 
>> can expire after a few months, forcing the effective user to renew them, so as 
>> to avoid stale entries.
> 
> I think you should describe how this proposal differs from what is
> available nowadays. Wouldn't they already be able to configure verified
> effective users for the IP addresses (e.g. with an abuse-c of the
> client and another of theirs) ?
> 
> They may be unwilling to do so or consider it a hurdle, requiring them
> to create new objects and so on, but what makes you believe they would
> be willing to use that new system?


Curiously, IME, they're keen on doing RFC 2317 delegations, but refrain from 
assigning abuse-c attributes.  I don't know if those belong to different 
departments or if there's just a different policy.  The concept that they are 
safer holding abuse-c for themselves was expressed on mailop recently.  If I 
were an ISP, I'd set up different abuse-c addresses for each customer, 
something like abuse-customer at isp.example, with possible auto-forward to a 
customer supplied address.  But I'm not.

RDAP allows some leeway in responses, so that something could be set to 
indicate whether a vcard entry belongs to the ISP or to the final operator.  I 
don't think ARIN or other RIRs are already featuring that kind of facility.  Is 
it because nobody asked?


Best
Ale
--