[arin-ppml] ARIN-prop-180 ISP Private Reassignment
cengel at conxeo.com
Wed Aug 22 12:02:57 EDT 2012
The company I work for is a vendor to alot of Fortune 500 Financial Institutions. I have alot of experience going through security audits with them. I haven't seen one yet that has had a security issue with a WHOIS listing. You can look at pretty much all the multi-national ones and they all have WHOIS. Generaly speaking, having valid contact info for thier networks actualy improves security as it gives a timely venue to report problems coming from thier network which they might have missed. As long as the POC's are trained to deal with social engineering style attacks there isn't really an issue. As Jimmy Hess has already pointed out, WHOIS really is the least of an institutions worry in terms of profiling for an attack.
Nevertheless, if your client really has privacy concerns about WHOIS, there are ALREADY perfectly legal solutions for such institutions that don't involve any policy changes and still preserve the functionality provided by WHOIS. All they need do is setup a Doing-Business-As (DBA) or a Legal Trust to use as the listing...and they can hire a service to recieve mail for them (e.g. Mailboxes ETC) or direct it to thier attorney's office. That's how organizations with serious privacy concerns deal with such issues.
More information about the ARIN-PPML