[ppml] Policy Proposal: Authentication of Legacy Resources

Tue Jul 10 15:39:29 EDT 2007

On Jul 10, 2007, at 8:23 AM, <michael.dillon at bt.com> wrote:

>
>> Finally, the contact data may be 15 years old, but that
>> doesn't relate to it's veracity.  If it's out of date, how do
>> you get a hold of someone to let them know it's out of data?
>> Breaking their Internet isn't a nice thing to do.  Who gets
>> sued when it happens?
>
> I wonder what the courts would think if a plaintiff admitted that they
> had not contacted their provider of critical infrastructure for the  
> past
> 15 years? Might the courts consider that the plaintiff had been
> negligent and therefore, the author of their own misfortune?
>
You are assuming facts not in evidence.  For most legacy holders,
as far as they are concerned, ARIN is not their provider of anything.

I suppose if they consider their in-addrs critical, you could make an
argument, but, for the most part, they probably don't.  Beyond that,
as far as they are concerned, ARIN doesn't provide or have anything
to do with their addresses.  They got them from some other entity.

As an example, I received a General Radiotelephone License for
aircraft from the FCC.  This license doesn't expire and I only really
need it if I fly a US aircraft in certain foreign airspace.  You could
argue that it is a form of critical infrastructure in that it is a legal
requirement under certain circumstances.  However, there's no
need for me to contact the FCC again about it unless I change
my address or other pertinent detail.

The license would still be valid even if it had been 20 years
without contacting the FCC.

Similarly, my pilots license does not require any regular contact
with the FAA.   Sure, I need to stay current, and, that requires a
visit to a flight instructor every other year and that I at least log
some other stuff as well as a visit to a flight surgeon every two
(or three, depending on age), but, short of a  change of address,
there's no need to contact the FAA.

As such, I think legacy holders that haven't contacted ARIN if their
data hasn't changed are in a fairly strong position.
> Lawsuits are like a shotgun with a barrel which shoots out both ends,
> and after you pull the trigger, someone else decides whether you blast
> yourself in the face, or whether your opponent gets shot.
>
True.  Usually they seem to seek a solution where each side ends up
with some buckshot implanted.

> Also, courts do not like to award a case to plaintiffs who have not
> taken some steps to mitigate the damage which they claim to have
> suffered. ARIN's duty is to ensure that potential plaintiffs have  
> ample
> opportunity to come on board with the rest of the IPv4-using community
> so that if someone does point a lawsuit shotgun at ARIN, the blast  
> will
> go back on themselves.
>
To some extent this is true.  However, whether the courts would rule
against ARIN or not, I believe ARIN has some obligation to continue
the status quo even for legacy holders that continue to choose not
to join the ARIN process.

> Note that ARIN could still break someone's Internet by shutting off
> in-addr.arpa and still come off scot free in the courts. It is not the
> act of shutting off the free service that determines liability. It is
> the whole process surrounding it.

True.

> The open discussion on this list is
> one of the things that strengthens ARIN's ability to shut off free
> in-addr.arpa services if a legacy holder does not come on board  
> with the
> rest of the community.

That I'm not so sure of.

Owen