[ppml] Policy Proposal 2003-11: Purpose and Scope of WHOIS Di rectory

Wed Aug 27 16:45:08 EDT 2003

----- Original Message ----- 
From: "Charles Scott" <cscott at gaslightmedia.com>
To: "Lee Howard" <lee.howard at mci.com>
Cc: <ppml at arin.net>; "Member Services" <memsvcs at arin.net>
Sent: Wednesday, August 27, 2003 7:46 PM
Subject: RE: [ppml] Policy Proposal 2003-11: Purpose and Scope of WHOIS Di
rectory

>
>
> On Wed, 27 Aug 2003, Lee Howard wrote:
>
> > To what extent are the following statements true?
> >
> >   WHOIS without naming the end user is not much use.
>
>   Since you asked... I don't agree with this. While others may want data
> all the way to the end user, all I care about is if there's someone I can
> contact who's going to take responsibility for some issue. I've spent too
> much time trying to contact and get response from end-user contact
> addresses and phone numbers and 2nd/3rd tier providers using ARIN whois
> data. If there is a desire to maintain data down to the end-user level,
> I'd prefer to at least know if the contact data is valid.

I agree and disagree (there, that's clear, then!). Personally, I would find
end-user information useful, but agree that a lack of valid contacts hurts
when (e.g.) reporting abuse.

How about a combination - the end user is listed, allowing those who wish to
find then to do so, but a pointer is added to the owning organization? From
my examination of bulk WHOIS, this appears to be how the data is arranged
and should therefore be relatively easy and safe to implement.

> >   End user information without contact information, as currently allowed
> >   as reassign-simple, is not much use.
>
>   At least if the end-user was there but had no contact information I
> wouldn't waste time trying to contact them.
>   Perhaps there's a compromise in this. If (1) whois data for top level
> allocations is mandatory (2) contact data verification for top level
> allocations is mandatory, (3) contact data verification is optional for
> provider assignments and end users, (4) records required to have contact
> verification and records that have opted to have contact verification are
> clearly marked as being subject to verification, (5) a process
> periodically verifies all such records and clearly marks those that don't
> verify, and (6) there is an optional method to query only verified
> records, then I think we have the best of all worlds.

That's similar thinking, but I'm wondering if that's too rigid a regime -
more implementation than policy.

Make points 5) and 6) a recommendation and we're in full agreement.

>   I do like the concept of opting lower-level records into contact
> verification. With that, a provider who wants to can opt to insist that
> their customers have verification on their records as a condition of use
> and therefore offload most work associated with network issues for those
> assignments. Those who don't will of course be responsible themselves.
>   The last component would potentially be some way of dealing with
> contacts that verify but are not responsive when contacted. If that
> happens to be a direct allocation from ARIN, then it would become an
> issue involving ARIN. If it's an assignment or end-user, then the next
> higher verified contact would be the one involved.

Agreed.

> >   Except for spammer address-harvesting and showing utilization to ARIN,
> >   WHOIS is not much use.
>
>   I'm sure you asked this rhetorically. The Internet would be a pretty
> useless place without some ability to contact network operators. Clearly,
> accountability is important, if nowhere else but at the allocation level.

Agreed, but some of us find the geographical data useful (just to declare
one of my own interests, in addition to anti-abuse measures)

Regards,

Ian