[arin-ppml] Comments on Draft Policy 2010-3: Customer Confidentiality
cengel at sponsordirect.com
Wed Apr 7 11:29:10 EDT 2010
Jay Hennigan wrote:
> The change is the *ability* to list the ISP's contact number
> and address, not a *requirement* to do so. For cases where
> the end user customer has a security and technical staff that
> is willing able to deal with these issues when they come up,
> said staff will probably want to have their own contact
> number listed in WHOIS. Indeed it should be.
> If anything, I view this proposal as facilitating, not
> hindering, rapid response to security incidents by those with
> the knowledge and ability to deal with them.
> Note that this proposal in my opinion is better for
> *technical* reasons, without regard to any business and
> privacy concerns driving it.
I agree with Jay 100% here. For people that WANT to anonymize thier information (whether for fair reasons or foul) thier going to be able to put in bogus information here regardless of policy. Unless you want to start investing about $10,000 per registration to actualy investigate whether the information that they provide is accurate, then anything you write as policy isn't going to help here.
For anyone else, it really should be between the ISP and the customer as to who gets listed. Totaly ignoring the privacy issue...a policy like this would actualy allow for faster response to problems in many cases. As Jay pointed out, many companies may not even have some-one technical on staff that can deal with these issues. If you call up a receptionist on the phone, they aren't likely to be able to help you....and if they are even mildly tech saavy they aren't going to be able to tell the difference between you and some-one making a social engineering attempt on them.
Even for organizations that DO have technical people on staff....very few maintain 24/7 NOC's like ISP's do. I know for our organization if you try to contact any of our publicaly listed numbers outside of regular business hours, you won't get a response. However, our hosting providers and customers do have call sheets with after hours emergency contact numbers on them.... and I'd certainly be willing to provide something similar to an ISP's NOC or other trusted agent that can act as a gateway function between some-one with a legitimate issue...and some-one trying to sell me hosting space in Hong Kong. Tell me, which would yeild a faster response?
Respectfully to the security research organizations, why should you not have to justify your legitimate need for such information? Aside from technical considerations and on to ethical/public policy issues. Information access should be a 2 way street. If you want access to some-one elses information then you should be prepared to surrender your own in order to get it. You should be able to justify your access to that information and there should be some method of transparency/tracking/accountability as to what you do with that information. Right now, WHOIS is about as far away from a 2-way street as you can get. The information contained in WHOIS may not be particularly sensitive... but the principle remains the same.
More information about the ARIN-PPML