[db-wg] ORG record vetting ?

In message <CAFV686cXFY63mHQ0H0xutLtcrzDxFjN1_F0=16PVRfZeSdFsZw at mail.gmail.com>
Jacob Slater <jacob at rezero.org> wrote:

>In this context, RIPE's published guidelines on due diligence (
>https://www.ripe.net/publications/docs/ripe-700) cover what exactly is
>checked. From my experience, the guidelines are always enforced as written.

Thank you for the link!  I was unware of that.

In that document section 1.1 (a) seem to the one one and only section
relevant to my question:

    a. Proof of establishment/registration

    Normally, proof of establishment of a legal person can be registration
    with the national authorities (e.g., a recent extract from the Commercial
    Trade Register or equivalent document proving registration with the
    national authorities). When this is not available, other proof of
    establishment may be required (e.g., the law according to which the
    legal person was established).

That last sentence is quite obviously an attempt... and a rather feeble one,
in my personal estimation... to cleverly dance around the exact inconvenient
question that I raised.  "When this is not available..."  Yes.  When the
entity -claims- to be incorporated in Malta, or Cyprus, or Liechtenstein,
or Gurnesy, or the Isle of Man, or... then what happens, exactly?

This is not strictly an academic question, or one that I am asking just
for the sake of my health.  The answer... if a truthful one might ever be
successfully extracted from either NCC or the membership or the community...
has Real World practical implications.

Where, how, and from whom can I get an actual answer about what -actually-
happens in such cases?  Is there some secret procedure manual, burried on
some obscure shelf somewhere within NCC that explains the procedure?

>As you mention, due to a variety of factors (based primarily on differences
>in jurisdiction), this process isn't always perfect. I'm sure the NCC deals
>with at least some of fraudulent activity as a result of the flaws you
>mention.

You refer to this as a "flaw".  That terminology, it seems to me, may perhaps
inadvertantly give some the false impression that this glaring problem is
akin to the tiny spec of dust that ruins an otherwise perfectly good diamond.
I however view it more along the lines of a self-evident and *major* design
flaw, rather like the problematic rubber O-Rings that caused the destruction
of the Space Shuttle Challenger.

I guess it all depends on one's point of view.

>Unfortunately, short of drastic measures (such as prohibiting
>certain jurisdictions from requesting resources), I can't see an easy way
>to improve the current situation.
>Do you have a suggestion for how the process could be improved?

I do.  Or rather I should say, I would.  However it would be presumptive
and inapproporaie of me, as a non-European -and- a non-member to propose
any solution, and least of all, on this particular mailing list, where
any such propoal would quite certainly be out of order and off-topic.

More to the point however, I haver no firm reason to believe that anyone
other than your's truly even has a serious concern about this self-evident
and gaping hold in what passes for "vetting" in the RIPE region.  If noone
other than me is at all concerned, then the liklihood of there ever being
any change in procedure or policy must surely approach zero.

I would however appreciate it if RIPE, NCC, the membership, and the
community would discontinue the current practice of papering over this
problem, pretending that it does not exist, or that it doesn't make a
mockery of any and all pretenses of "vetting".

I don't know how people in Europe feel, generally, about airport security,
but where I am from it is widely derided as amounting to little more than
"security theater" in practice.  (Google for "beedoop machine".)  I'm sorry
to have to say it, but this notion of organization vetting in the RIPE
region is so evidently riddled with loopholes that I personally feel that
it is deserving of the same derision.


Regards,
rfg