ARIN-PPML Message

[arin-ppml] SWIPs & IPv6

Owen,


Owen Delong wrote:

"It is.  WHOIS is not a security oriented service.

WHOIS is a public disclosure service, intended to as part of an open public records process around IP number resource policy, distribution, etc.

It makes little more sense to apply "least privilege" to whois than it would to apply it to property ownership records or other public records. "

 - This strikes me as a bit of a circular argument. You are essentially saying it's public because it's public. Doesn't really tell me WHY it should be public.


"I content that snail mail addresses are needed for the next step if they are uncooperative, as is the legal name of the block holder."


  - At that point you are going to the Courts and/or Law Enforcment anyways. If you have sufficient justification to bring suit against that legal entity (or file a criminal complaint) then you should have sufficient justification to petition the courts for disclosure of their information. At that point you are no longer in the "timely resolution" phase of things, you are in the "due process" phase of things. I don't see why it would be an undue burden to require you to petition the courts for that if you are already going to them for a redress of grievances. Certainly, that is the case for many other virtual identity information (e-mail addresses, dynamically assigned IP addresses, forum names, individual website owners, etc).



"The former is more likely. The latter is a violation of the WHOIS AUP."

   - Practically speaking, the ENFORCEMENT mechanisms for that policy are what? Those are anonymous public lookups and they happen all the time. It's all well and good to publish a policy but if your ability to enforce it for all practical purposes is next to nil....then the policy itself is worthless and might as well not exist.

     In some respects, I think this speaks directly to the issue at hand. Is ARIN really prepared to invest the resources to investigate the accuracy of ALL the information supplied by
ALL the sub-delegations of IP address block space?  Are they going to investigate that the name supplied by every sub-delegate is actually their real Legal Name? Are they going to investigate that the physical street address given for an entity is accurate. Are they even going to check the phone number and contact e-mail, and make sure that they are answered by a real person and not an auto-responder.  If so....how often are they going to audit each one to make sure that it is still upto date?  If they are unable to verify one or more pieces of such information... what enforcement mechanism will exist?  In order to see any significant improvement in INVOLUNTARY compliance with WHOIS lookups over the present ALL that is going to have to be significantly beefed up..... and I imagine it will also invoke considerable ill will on the part of those being subject to such regulations.

On the other hand, if you wish to increase VOLUNTARY compliance with WHOIS listing.... something that WON'T necessitate vast ENFORCEMENT resources, then the way to do so is to address the concerns of some of the people who are choosing to avoid participating in that system. Whether you like it or not, think it is stupid or not....one of those concerns is PRIVACY. In this day and age people (and organizations) are demanding more control over their own information.... how much of it is revealed, to whom and under what circumstances and justifications and whether records of such requests are available. Like it or not, this is a growing trend that will only increase. If you want people to VOLUNTARILY participate in such systems you can provide them with mechanisms for addressing their concerns.... otherwise be prepared to hire an army of virtual cops to ENFORCE compliance with your mandate. As I see it, those are your two options.



Christopher Engel