[db-wg] IRT object postal address

Hi Ronald,

Please see replies below.

On Wed, Jul 20, 2022 at 4:52 AM Ronald F. Guilmette via db-wg
<db-wg at ripe.net> wrote:
>
> In message <CAKvLzuFZDSk11aW=j0ufpNs5i+-2bmDHFkJ7pQfaUu-nhhEiFQ at mail.gmail.com>
> denis walker <ripedenis at gmail.com> wrote:
>
> >During the conversion we had some time ago about contacts we concluded that
> >no one is going to visit a contact or post them a letter.
>
> No, "we" didn't.  Unless you are using the term "we" here in the royal sense.
>
> >The IRT object also had a mandatory address attribute that is defined in
> >the documentation as:
> >
> >"This is a full postal address for the business contact represented by this
> >irt object."
> >
> >Does anyone think we actually need a postal address for a contact for a
> >CSIRT team?
>
> Yes.  I do.
>
> You haven't yet answered _any_ of the fundamental questions I've asked
> about your ongoing efforts to hide information, to wit:
>
> *)  Other than you and Cynthia, who is asking for and/or demanding these
> various deliberate obfuscation steps?

It might mostly be me and Denis advocating for this policy change,
however there hasn't been a lot of people active on the db-wg lately
in any discussions.
Additionally I have only seen you and one other person primarily argue
against this proposal.
I seem to recall some people being supportive to this idea at RIPE84
but I do not remember the details so take that with a grain of salt.

> *)  Why is the hiding of information even a priority?

Hiding information is good from a privacy standpoint so you have to
weigh the benefit of having the data public against the privacy
implications of publishing it. (and consider any potential legal
issues/requirements)


> *)  What is the plan?  Who is going to do the work, when, and what is the
> cost?

The implementation details would be discussed later as Denis has said,
however obviously it would be the RIPE NCC that would do the work of
actually implementing it.

> *)  Are these deliberate obfsucation steps still being justified on the
> basis of GDPR, or do you now accept as fact that GDPR is irrelevant in
> the context of the RIPE data base, and that it does not currently compel
> RIPE to make any changes to the public WHOIS data base whatsoever?

Denis has already mentioned in an email regarding 2022-01 that he will
not address any more GDPR issues until there has been a legal review
as many of us are not lawyers.
While I can't speak for Denis, you have not convinced me that GDPR is
somehow irrelevant in the context of personal data but I also don't
want to discuss it further until the NCC legal team has done their
legal review.

> *)  If the goal is to hide information, then why not just take the entire
> RIPE WHOIS data base offline and hide the whole thing behind some sort of
> permission-wall that can only be pierced with a legal warrant?
>
> (That last question is, of course, the essential point, since that endpoint
> seems rather clearly to be the direction in which this is all headed.)

This question is not really an "essential point" in my opinion as
there is a big difference between hiding postal addresses and hiding
abuse email addresses and route(6) objects.
I would argue that a postal address is very rarely needed in the
context of networks while abuse email addresses and route(6) objects
are important to the operation of many networks.


> Regards,
> rfg
>
>
> P.S.  I really don't care if I am the only one on this mailing list who
> is representing the interests of law enforcement and legitimate security
> researchers, or if I have to endure the slings and arrows that come with
> that.  It's a tough job, but somebody has to push back against all of
> these subtle incremental efforts to hide the WHOIS by chipping away at it,
> little by little.

-Cynthia