<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">Hi Hank,</div><div class=""><br class="">It was preferable not to contact the affected parties for the following reasons:<br class=""><br class=""></div><div class="">- we could not verify if the email address was accurate (it was possible to change without authentication until this became mandatory).<div class=""><br class=""></div><div class="">- the RIPE NCC is not able to correctly check all claims on unmaintained database objects, it is not possible to assist users to unlock these objects.<br class=""></div><div class=""><br class=""></div><div class="">- There is a substantial operational burden on the RIPE NCC to respond to queries resulting from a mass notification (one quarter of the 850,000 affected objects contained an email address).</div><div class=""><br class="">I hope this clarifies the decision.<br class=""><br class="">Regards<br class="">Ed Shryane<br class="">RIPE NCC</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div></div><div><blockquote type="cite" class=""><div class="">On 7 Apr 2016, at 21:31, Hank Nussbacher <<a href="mailto:hank@efes.iucc.ac.il" class="">hank@efes.iucc.ac.il</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta content="text/html; charset=windows-1252" http-equiv="Content-Type" class="">
<div bgcolor="#FFFFFF" text="#000000" class="">
<div class="moz-cite-prefix">On 07/04/2016 11:23, Trudy Prins wrote:<br class="">
<br class="">
Can you detail what attempt was performed to try to contact the
person or role object? <br class="">
<br class="">
Thanks,<br class="">
Hank<br class="">
<br class="">
</div>
<blockquote cite="mid:285C3135-B7A5-4A68-91AB-BE20A50668BD@ripe.net" type="cite" class="">
<meta http-equiv="Context-Type" content="text/html;
charset=us-ascii" class="">
<div class="">
<div class=""><br class="">
</div>
<div class="">Dear colleagues,</div>
<div class=""><br class="">
The RIPE NCC Executive Board (EB) endorsed a proposal on how
to deal with a vulnerability for RIPE Database users.
Following their advice, the RIPE NCC proactively locked <span class="">848,986</span> unmaintained PERSON objects and
1,206 unmaintained ROLE objects on 6 April 2016.<br class="">
<br class="">
Since reaching the last /8, IPv4 address space has become more
susceptible to hijacking. Unmaintained PERSON and ROLE objects
are highly at risk of being found and hijacked. In addition,
unmaintained PERSON and ROLE objects are an issue with regards
to data protection obligations.<br class="">
<br class="">
The potential impact of abuse led us to consult with the EB on
this intermediary solution before engaging with the community
on the next steps. Exposing this issue without taking adequate
measures would have left the RIPE NCC liable to third party
damages.<br class="">
<br class="">
The proposed solution we outline below is a starting point, to
be discussed by the community.</div>
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">Background:<br class="">
===========<br class="">
<br class="">
Since 2010 it has been mandatory to protect PERSON and ROLE
objects in the RIPE Database using a maintainer on "mnt-by:". A
large number of PERSON and ROLE objects dating from before 2010
are still not protected in this way.<br class="">
<br class="">
Objects can be created that reference these unmaintained
objects, but doing so will generate a warning.<br class="">
<br class="">
In recent years, given the scarcity of IPv4 address space, there
is a higher risk of people searching for unmaintained PERSON or
ROLE objects in order to pose as a resource holder to sell IPv4
space. In the case of legacy space, this could take place
outside the view of the RIPE NCC if the address space is not
registered with the RIPE NCC.<br class="">
<br class="">
<br class="">
Proposal:<br class="">
=========<br class="">
<br class="">
1) All unmaintained ROLE and PERSON objects are now locked. As
the RIPE NCC will not be able to correctly check all claims on
unmaintained database objects, unlocking is not
available. Offering to unlock these objects could leave the RIPE
NCC liable to third party damages if due diligence is not
followed.</div>
<div class=""><br class="">
2) Furthermore, the RIPE NCC modifies the existing warning about
referencing unmaintained persons/roles to a similar warning
about referencing locked persons/roles.</div>
<div class=""><br class="">
3a) The locked objects can remain as they are. In time, all
locked PERSON or ROLE objects no longer referenced by other
objects could be automatically deleted: the current thinking is
a 180-day deletion timeout for these locked, unreferenced
objects.<br class="">
<br class="">
3b) If there is an operational need, new PERSON or ROLE objects
should be created by the object owners. This solution puts
control back into the hands of the object owners. The user can
follow the existing process for creating and referencing new
objects.<br class="">
If there is a use case for supporting bulk migrations where a
reference to a locked PERSON or ROLE object should be replaced,
the RIPE NCC can create a wizard in the RIPE Database webupdates
section of <a moz-do-not-send="true" href="http://www.ripe.net/" class="">www.ripe.net</a>.</div>
<div class=""><br class="">
</div>
<div class="">We look forward to your feedback.<br class="">
<br class="">
Kind regards,<br class="">
<br class="">
<br class="">
Trudy Prins<br class="">
Manager Software Engineering<br class="">
RIPE NCC</div>
<div class="">
<br class="">
</div>
<br class="">
</blockquote>
<br class="">
</div>
</div></blockquote></div><br class=""></body></html>