[ncc-services-wg] Independent Resource procedure and implementation

Hi,

On 09/03/2009 05:50 PM, Andrea Cima wrote:
> To address your first and second points, the RIPE Database is a public
> database. The aut-num objects that you mention are maintained by the
> Local Internet Registry (LIR) or the End User and have been assigned by
> the RIPE NCC over a number of years. This means that the information
> contained in the RIPE Database might be outdated or inaccurate.
Yes, this is public database, but updates are restricted to limited
number of person in defined hiearchy. And you should have all logs
related to these changes. Majority of changes _must_ be authorized by
some known maintainer. You cannot have problem to obtain informations
about last update time of any information from your database. So, you
can easily focus to objects _not_ updated for several years...

> However, as a consequence of this project, many LIR organisation name
> changes have been initiated by RIPE NCC members and contact details have
> been updated by many LIRs, including recently set-up ones. This
> contributes to the improved quality of RIPE Database data. RIS data
> would have to be compared with the RIPE Database information,
> bringing us back to the points listed above.
In general, changes of organization name, merging and transfers of LIR
aren't simple operation. Manual intervetion is required from RIPE NCC
staff to change these key informations about LIR. I this case - you say,
that RIPE NCC staff isn't updating these informations in case of change?
>From LIR perspective, in case of change there's requirement to provide
similar informations to RIPE NCC staff, same as LIR provided at setup
time. You're billing each LIR (at least) every year. So, you also have
informations about existence of organisation, almost nobody will pay
invoice to RIPE NCC behalf non-existing company.

Again, it's just about pairing of informations in all of databases, that
RIPE NCC has. It seems, that RIPE NCC is lazy to do this! Even, if all
LIRs pay you (RIPE NCC) for this work. RIPE NCC has enough staff to do this.

> The RIPE NCC is also working on a project to enhance the quality of its
> registration data in order to help resolve similar cases in the future.
> Creating a separate process for 'small' and 'larger' LIRs would not be
> cost effective. Furthermore, the RIPE NCC is impartial and
> neutral to all its members.
In first place, there's need to improove work of RIPE NCC staff. As I
mentioned above, you request many informations from LIRs, but it seems,
that this is "one time" communication between LIR representative and
RIPE NCC employe, but not reflecting your databases.

> In the case you mention, where an LIR uses one AS Number for its
> infrastructure, the LIR is requested to select "My Infrastructure" on
> the interface provided. No further action is requested from them. I am
> sorry to hear that you see this as an abuse.
Yes, but this must be done in some tool, which is NOT integrated to LIR
portal and which doesn't work with PKI authentication correctly.

> To address your concerns related to the software, the current
> implementation of "single sign on" enables you to log in once using:
> 
> - Certificate AND password for certification *or*
> - Just password (or both) for policy 2007-01
> 
> It does not currently allow login using only a certificate.
Yes, I know my password and I tried to use it. But, I'm able update
informations only for "primary" LIR, not for secondary ones assigned to
same certificate (and yes, I'm able to update anything on LIR portal).
That "new" software is just broken. And probably you wont accept this fact!

> We believe that this is a good thing. The ability to sign in using just
> 'certificate' degrades the security of the portal; users could generate
> such certificates without pass-phrases and then anyone with access to
> their computer could log in.
I agree, but if I'm sucessfully authenticated, I should be able to
update _ALL_ informations, where I'm responsible for them. Not only some
of them.

> Being an 'external user' and representing many LIRs results in having
> to log in as 'primary' user for each of them. This was recognised during
> the development of this project as a point for improvement. In the new
> version of the LIR Portal, which we are currently working on, this will
> be handled in a more user friendly way.
Again, why there's new project, new authentication model and finally -
more spent time and money for - from user perspective - very simple tool
with one submit form. This functionality can be implemented to LIR
portal. You can improove security of LIR portal in general, but there's
no reason for develop outside - pure new - tools...

> Unfortunately, we could not integrate completely with the LIR Portal in
> the timeframe given to implement policy 2007-01. We decided not to make
> further developments to the legacy code base of the current LIR Portal
> because we already had plans to entirely rebuild the LIR Portal.
You HAD enough time. First version of policy is more than two years old.
And  there was NO requirement for implement pure new authentication at
all. It's just your obscurity from your side. From your words, it seems,
that RIPE NCC software development processes should be _deeply_
inspected. Where's reported process of development of "new" LIR portal?

Simple web form with few radio buttons and one submit button really
doesn't require hard development.

> We are currently working on the LIR Portal migration project. One of the
> first milestones will be to make the integration between old and new
> seamless for users.
As mentioned above, RIPE NCC should report all these activities to RIPE
members. Where're published these plans, roadmaps for migration, etc?
Where's testing version running? RIPE NCC should NOT be a blackbox, it's
membership-driven organisation. You should share ALL these informations
with members.

> With regards to the RIPE NCC audit you mention, I can ensure you that
> this is just a coincidence.
Public RIPE NCC auditing procedure isn't much desciptive, there's no
real methodology of this process. Existing policy gives rights to RIPE
NCC for doing almost anything, RIPE-423 is very vague. And there's not
real requirement for some reporting from RIPE NCC. Older RIPE-170 was
slightly better, but was changed by some reason to this new - shorter
version.
There aren't any publicly accessible reports of audit activities for
several years. Process of audits isn't transparent to RIPE NCC members.
Again, we're talking there about RIPE NCC transparency...

Daniel