[ppml] RE: [arin-announce] Policy Proposal 2003-3: Residential Customer Privacy

[Michael.Dillon at radianz.com]

>Personally I don't like the Private Individual proposal.

I don't like it either. It's another example of bad policy that is too 
detailed and therefore misses solving the problem. The fact is that some 
organizations or individuals who receive IP addresses, either don't want 
to publish contact information or else they are clueless in some way so 
there is no point in publishing contact information. Therefore, a 
reasonable policy would state something like this:

   There MUST be contact information published for all IP address 
sub-allocations and assignments.
   The contact information MAY belong to the upstream organization rather 
than the address user 
   but it MUST lead to people who can deal with issues such as network 
abuse.

See how simple things could be. We want contact information that is 
accurate and is usable because it leads to people who can take action. 
Sometimes the address user can meet the need for such contact info but 
other times the ISP is the only one who can meet these needs. If an ISP 
has a large organization as a customer using a /20 of IP address space, 
they can still hide the identity of this organization and keep everybody 
happy as long as the ISP themselves will act as the contact point.

The only area of possible concern is that ARIN may wish to see the full 
identity in order to audit address usage. If we would only get rid of this 
antique technology of SWIP and whois and rwhois then this would not be a 
problem. LDAP allows secure access and it allows one to define that only 
certain users can see certain info. Therefore it is simplicity for an ISP 
to run an LDAP server that provides public access to public info and lets 
ARIN people, under NDA, have a peek at more detail.

Of course, if we don't want to use modern technology like LDAP, we can 
still meet the ARIN requirement by sending them some kind of files or 
databases anytime they do an audit. But that's a process problem and I 
don't think we need policy to solve it.

P.S. I think the best use of the upcoming meeting is not to discuss the 
policies on the table. Rather, I believe it would be more fruitful to 
discuss some draft policies that can be discussed over the next few months 
and then voted on at the next meeting. There seems to be some interest 
right now in policy revision, but I believe it would be a mistake to rush 
in and make policy in the disorganized fashion currently in use.