[arin-ppml] Policy Proposal: Whois Integrity Policy Proposal

Leo Bicknell bicknell at ufp.org
Tue Aug 19 18:17:41 EDT 2008

In a message written on Tue, Aug 19, 2008 at 03:20:09PM -0600, E. Westbrook wrote:
>    I find in these two sentences an implicit assumption that resource
>    holders cannot authenticate themselves sufficiently for whois updating
>    purposes without being under an RSA.  I find this assumption faulty.

I agree in part, and disagree in part.

The exact same authentication can be done to provide a one time
update to a record, or as a precurser to signing an (L)RSA and then
doing the update.  Thus, on the first update I must agree with the
letter of your remarks.  However, there are two factors that cause
me to disagree with the conclusion you draw.

I am not a lawyer, so I cannot be sure this is the case, but my
understanding is that if there were no written contract and the
requester comitted fraud ARIN would have very limited civil court
recourse.  The best action ARIN could get would be to convince an
appropriate DA to file criminal fraud charges.  With a contract
ARIN has direct civil fraud remedies available.

The other issue is how to keep these records up to date over time.
One of the tools ARIN uses is yearly billing contact; if someone
fails to pay the bills the information ARIN has to track down the
owner should be at most 18 months old.  There is a much greater
chance of things like postal mail forwarding continuing to work,
old records being available, etc.  Since I believe billing requires
a contract, the LRSA is the appropriate contact in this place.

The alternative is for ARIN to do the complete re-authentication
on every request, which could be costly, time consuming, and annoying
for both parties.

Lastly, it's not a primary concern but I assume the act of
authenticating the resource holders however it is done today takes
staff time.  Since many legacy holders pay no fees they are being
subsubsidized by other ARIN members.  The $100 a year hopefully
covers the cost of authenticating the legacy holder, providing them
whois and in-addr.arpa services, this forum for discussion, and so
on so the playing field is much more level than it is today.  Again, I
don't see how billing can be done without some sort of contract, and the
LRSA is an appropriate contract.

If people have issues with the LRSA I think it's totally appropriate to
propose changes.

       Leo Bicknell - bicknell at ufp.org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20080819/f8c3d20c/attachment-0001.sig>

More information about the ARIN-PPML mailing list