[db-wg] ORG record vetting ?

In message <c59c9c14-521e-e7f8-fb9f-51a1dcb3f757 at foobar.org>, 
Nick Hilliard <nick at foobar.org> wrote:

>Would it be feasible for the RIPE NCC to add a read-only record to org: 
>objects which provided the date of the last due diligence check?  E.g. 
>something like
>
>organisation:   ORG-FNL99-RIPE
>org-name:       Foo Networks Limited
>org-type:       LIR
>[...]
>mnt-ref:        RIPE-NCC-HM-MNT
>mnt-by:         RIPE-NCC-HM-MNT
>abuse-c:        FOO2000-RIPE
>created:        2019-01-01T01:01:01Z
>last-modified:  2019-01-01T01:01:01Z
>due-diligence:  2019-07-01T12:00:00Z
>source:         RIPE
>
>Otherwise it doesn't look like it's easy to heuristically work out 
>whether due diligence has been carried out on a particular object or not.

I can't answer Nick's question, but I did just want to offer my take
on this.

Personally, my own inference/assumption when looking at records like the
one above is that "vetting", however that is defined, took place on this
ORG on or about the created: date and NEVER thereafter.

This seems to be the way things are done in the ARIN region, as I learned
the hard way.

I made a fool out of myself awhile back on the ARIN Public Policy Mailing
List (PPML) when I endlessly harangued John Curran (ARIN CEO) about how it
came to pass that one tricky scoundrel (whose primary business name was/is
"Micfo") somehow managed to create a lot of companies, each of which was...
according to the relevant WHOIS records... located in a different U.S. state
within which each such company had NEVER been registered.

So, as I learned, according to Curran, at the time these different (fradulent)
companies were initially granted (IPv4) resources, they -were- each vetted
to make sure that they each existed and that they each were registered in
the states they claimed to be in AT THAT TIME.

If I understood Curran correctly, sometime AFTER that the WHOIS records
for each of the IPv4 allocations that had been granted to each of these
fake corporate entities has been FIDDLED (by the crook at the heart of
this matter) to make it appear that the entities themselves were located
in and/or operating in various other states where in fact, they had
neither any operations nor any actual legal existance in those states.

ARIN does NOT vet any of the changes that a registrant may make to his/her/its
own pre-existing WHOIS records.  I believe that is an accurate characterization
of what Curran said on the PPML.

If ARIN doesn't vet WHOIS -modifications- then I rather doubt that RIPE
does so.

So, except in very rare cases, I would assume that the "last vetting date"
for any given RIPE WHOIS record is going to be approximately equal to the
created: date.


Regards,
rfg