[arin-ppml] POC privacy

Jimmy Hess mysidia at gmail.com
Fri Oct 26 21:52:12 EDT 2012 

On 10/26/12, Christoph Blecker <cblecker at gmail.com> wrote:
> POCs are also used by ARIN to determine who is permitted to modify
> records. Technical and Admin POCs linked to ORGs are how this
> permissions relationship works. Now fair, private Abuse or NOC POCs
> are kind of useless, but the entire argument isn't without merit.

I see how there is potential value there for some organizations. To be
able to list additional authorized users, without a contact listing.

But  Organizations like Google should be leveraging automation, and
the API interfaces,  from centralized systems,   rather than having
lots of people permitted to directly modify any record.

That also enables the possibility of additional checks against human
error, and the requisite auditing and security controls.

Having more than a few individuals  permitted to directly modify
resources, without even having detailed info shown in WHOIS  = Risk.


I realize ARIN uses POCs for this purpose.   And other organizations
that wish to have an individual prove authorization, will also use
ARIN POC data as a means of validation.

So POCs have a dual purpose.   And yet something that isn't actually
listing contact information in whois, is by definition not a
legitimate usable point of contact.

If the suggestion  is to be able to have additional "Private agents"
who may be authorized to submit ARIN resource changes and requests,
who  choose to not have listed contact details.

I think I would concede that it is not _that_ bad, as long as:

(1) Private agent data is still required to be recorded, just as if
the POC was going to be fully listed, and  all data is still available
to POCs of the organization, such as the administrative contacts.
Possibly by  listing just the full name and encrypting the POC
detailed info in WHOIS using PGP,  such that only ARIN systems and
other POCs of the organization are enabled to view the complete
contact details.


(2) Every organization still has  to have at least one listed Admin
POC,  who is a responsive individual,  and all details are public.

(3) Every organization has at least one listed NOC or Technical POC,
where all details are public.
(4) Every organization has at least one listed Abuse POC, where all
details are public.



> Cheers,
> Christoph
--
-JH

More information about the ARIN-PPML mailing list