[arin-ppml] Draft Policy 2008-7: Identify Invalid WHOIS POC's

Ted Mittelstaedt tedm at ipinc.net
Tue Mar 24 17:26:08 EDT 2009 

 

> -----Original Message-----
> From: Stephen Sprunk [mailto:stephen at sprunk.org] 
> Sent: Tuesday, March 24, 2009 1:37 PM
> To: Ted Mittelstaedt
> Cc: 'ARIN PPML'
> Subject: Re: [arin-ppml] Draft Policy 2008-7: Identify 
> Invalid WHOIS POC's
> 
> Ted Mittelstaedt wrote:
> >> -----Original Message-----
> >> From: Stephen Sprunk [mailto:stephen at sprunk.org]
> >> Sent: Tuesday, March 24, 2009 1:19 PM
> >> To: Ted Mittelstaedt
> >> Cc: 'Lee Dilkie'; ARIN PPML
> >> Subject: Re: [arin-ppml] Draft Policy 2008-7: Identify 
> Invalid WHOIS 
> >> POC's
> >>     
> >> ... I agree, as I believe Lee does, that all POC records 
> should have 
> >> valid email addresses.
> >>     
> >
> > OK then, would you be willing to support a policy proposal 
> that ONLY stated all POC's must have valid e-mail addresses?  
> Nothing else about validation or any of that?  Just a simple 
> statement that all POCs in the whois database must have valid 
> e-mail addresses?
> >   
> 
> No.  Without validation and enforcement, the policy would be 
> useless and just clutter the NRPM.
> 

Heh.  OK I see your not going to make it easy for me.

I'm going to assume that no matter what I say your not going to
be convinced.  But I am not too concerned about that because it's
clear that ARIN uses an elastic definition of consensus - not
every last person must agree for a policy to go into effect.  So
I really only need to meet the bar of convincing everyone else,
and your response here allows me the opportunity to do it.


You believe that policy proposals must have validation and
enforcement.  That's your first premise.

You also stated that you believe all POC records should have
valid e-mail addresses.  Now, MOST people
would assume that the definition of a valid e-mail address is
one that the POC gets the e-mails sent to it - even if the POC
chooses to not respond.  BUT, here is where things get a bit tricky.

If an e-mail address in WHOIS is accepting mail but the POC is not
responding, EVEN THOUGH it might be ORDINAIRLY considered
"valid" in the context of what an e-mail address IS, in the
context of the ARIN WHOIS database IT IS NOT VALID.  It isn't
valid because there is no way to PROVE it is valid unless
they respond to a message to it.  Proof requires them to respond.
Just looking in your /var/log/maillog
and seeing the remote machine accepting the message isn't enough.

You could query whois, get the e-mail address, call the POC, say
"is this your e-mail address" and have them say yes, then send
an e-mail to it, and even see your machine contacting their
mailserver and the message going - but unless they say "OK I
got the message" you have NO PROOF that the POC actually got
the message.  Their mailserver could have simply discarded the
message before delivering it to their e-mail box.

The actual human that the POC is, MUST RESPOND for the
address to be considered VALID in the context of the WHOIS database.

So, thus is the second premise.  You state that you believe
all POC records should have valid e-mail addresses.  That means,
e-mail addresses where then the POC is contacted by e-mail,
the POC responds.  (spam messages mailed to the poc are not
attempts by a human to contact the poc, thus the POC does not
need to respond to the spammer to be considered valid)

To throw your position a bone, the policy specifies contact by ARIN must
be responded to, not contact by anyone else in the world.

OK so now we have our 2 premises that YOU claim to believe in.

Now, for these premises to be valid in this proposal, the
first step is that the only possible way here for ARIN to
know if the POC e-mail is valid is to e-mail it and get responses
(e-mail or otherwise)  I mean, if they simply called the POC on the
phone or sent them a paper letter, asking if the e-mail address in
the POC was correct, that's still no guarentee that the address isn't
bogus - the POC could lie to them.  It takes an actual e-mail
and response, to know.

But, we aren't complete.  What is ARIN?  ARIN is us.  Meaning, 
the ARIN membership, us, essentially govern ARIN.  Effectively WE are the
ones asking if such-and-such an e-mail address on a POC is valid.
And ARIN staff has to have some way of communicating the response back
to us.  That way is the whois database.

In short, if I ask how do you, Stephen, know if a specific e-mail
address on a POCis valid, your answer would be that you know it's
valid because WHOIS says it is.

But, today, right now, you, me, nobody has any way of knowing if
this is true.  Because, the WHOIS database currently is not validated,
not checked, and has NEVER been.

In short, today we CANNOT conform to your premise #2 - that all
POC's must have valid e-mail addresses in WHOIS.  Thus, we MUST
validate to conform to that - premise #1.

And, because contact of the POC by any other means than e-mail
introduces the ability that the POC can lie, ONLY contact via
e-mail followed by a response by the POC meets the bar set by
your premise #2 - that POC's must have valid E-mail addresses.

Thus, the policy proposal specifies contact by e-mail.




Ted

More information about the ARIN-PPML mailing list