ARIN-PPML Message

[arin-ppml] SWIPs & IPv6

On Mon, Dec 7, 2009 at 11:14 AM, Chris Engel <cengel at sponsordirect.com> wrote:
>
Publication of the address and multiple contacts provides a last
resort  if all other contact info  is outdated and useless;  it
provides enough information to write a letter. Mailing address might
also be used for    less-urgent   requests,  or notices,  such as
ones of a  legal nature.

It also allows you to follow-up   an e-mail conversation with a
verifiable written record to all contacts  (via certified mail),
which  might be required in some circumstances.

> In the security world, the principle of "least privilege" is a well established best practice. That is, granting the minimum level of access/functionality/data in order to achieve a given task. I do not believe it is an unreasonable position to hold forth that ARIN should adhere to that best practice in regards to requirements for WHOIS.

Least privilege is not always the right answer,  sometimes trying to
follow least privilege can result in an even less secure practice,
than implementing the practices people would expect.

It's not reasonable that ARIN should restrict public information
simply to pursue idealogical goals such as "least privilege";   ARIN's
best practice  and core principle is good stewardship -- not least
privilege.

"Least privilege" not a  well-established  best practice;  it's a
general guiding principle.
Least privilege is not either definable nor  possible to enforce,  as
such it's not a practice that ANYONE  actually implements.

Least privilege is impossible because we do not  know  a-priori  what
all legitimate uses of the information are,
and we cannot know in advance the valid times when it will be called
up.   Least privilege would insist
that  attempting to use WHOIS on an IP  would always return access
denied,  until the very moment you _needed_
the information at that very moment, for a legitimate purpose.


If WHOIS followed least privilege, you would have to call ARIN, prove
you have a legitimate need to lookup that record,
by sending them logs or proof of abuse,  or other documents proving
the need.    After they thoroughly verified your need,
they would then tell you which  WHOIS fields you can request to see,
and then,  upon the request  (with paperwork properly filed and
approved, fees paid, etc),
you would have   1 hour to  perform a  lookup that record  one time
from an IP address you specified.

If it only takes you  5 minutes to lookup the record,  then  Least
Privilege was violated,  since you were given  45 minutes you didn't
need.

In addition, you could only request the item of contact information
you are using. If you plan to e-mail the contact, you don't get the
phone number.

If you later need the phone number,  you will have to prove the e-mail
contact didn't work, and start the request all over again  (more fees,
wait 24 hours, etc)


Actually, wait, no,  that also violates least privilege:   You don't
see an e-mail address  or phone number, _ever_.
ARIN  provides you a  web form   for sending an e-mail to a contact
whose name you will not be told.

Any attempt to reveal your own name or address in the e-mail  will be
censored,   by blanking out that portion of the email.

If you need to call them,   ARIN  proxies  your  call to the contact,
so you never see the contact's phone number.
An operator  listens in and bleeps out any attempt by either side to
reveal contact information  (which could compromise their own
privacy).

Also, since you don't need the privilege of hearing their real voice,
 ARIN uses  technology to  disguise both callers'  voices  from each
other,
and filters any background noise  that might reveal details about
their location.


If you need to send them a physical mail,  you address it to ARIN
c/o  the  recipient's     POC handle,  and ARIN forwards the text of
the message,
after removing return address, and analysing its contents to make sure
you didn't accidentally reveal your identity.


If you need to go visit them physically,  you pay  ARIN to send a van,
 in which you are escorted   blindfolded, restrained  to  the
organization's  contact
address  by armed guards.   After you are done talking with the
contact  (both of you are blindfolded  for the conversation),
you are  escorted  back to your place of business.

These  methods  respect least privilege and are   "best practice"  in
that regard.


> So let me put forth the question.... What is the legitimate NEED for publicly accessible WHOIS lookup that can be accessed anonymously and that has no gate-keeping functionality inherent to it?
>

The WHOIS  specification has no gate-keeping functionality inherent to it.

But I expect ARIN could implement gate-keeping functionality on its
WHOIS servers,  for example,  by rate limiting the
amount of different records that can be viewed by a single IP address
within a certain amount of time to a   "reasonable"  number


--
-J