[arin-ppml] Regarding unauthorized changes (Re: Policy question)

[Owen DeLong]

On Sep 20, 2012, at 19:39 , Jimmy Hess <mysidia at gmail.com> wrote:

> On 9/20/12, John Curran <jcurran at arin.net> wrote:
> 
> Number resources are assigned to the organization that own the
> newtork(s) resources are assigned to;  the resources don't belong to
> the authorized POCs,  whether ARIN thinks a person or their "Arin
> Online account" are an authorized contact or not...  that is an
> expediency.
> 
> Contacts have no right to request changes on their organization's
> behalf, and represent that they are authorized,   if  their role
> within the organization no longer exists and  has changed in such a
> manner,  as they would not be authorized to make the change, so in
> theory... there should be little possibility at all whatsoever of a
> "dispute of authorized status",   ARIN should listen to  whatever
> organization  signed the RSA, actually contracted for the resources,
> and can prove that with suitable notarized documents.

While what you say is true, ARIN has no way to make that determination
and without some documentation to prove such an assertion validated
by a court order, expecting them to do so is fraught with peril.

How does ARIN distinguish "the organization" from "An authorized POC
for the organization"? How does ARIN determine that this person claiming
to represent "the organization" who is not an authorized POC on the
organization or resource records is actually more legitimate than the
person who is an authorized POC?

I understand how what you say seems intuitively correct at face value.
However, when you consider the relative anonymity of the parties
involved with respect to the personal knowledge of ARIN staff, it
becomes quite a bit more complicate as an authentication problem.
As such, court orders are the appropriate mechanism for ARIN to
validate such authentication challenges.

> For example, if an organization fires their employee who is also their
> Administrative POC, but ARIN is not informed.    The former
> administrative POC is no longer authorized within the organization to
> make changes.

However, how is ARIN supposed to know this? As you said, they were
not informed.

> If that person,  still listed as a POC for the resource, comes to
> ARIN,   and requests unauthorized changes,  such as a change of
> address,  or deletion of  other contacts, and they are executed,
> because ARIN was never informed that the contact is no longer
> authorized.....

ARIN cannot distinguish such a request from a legitimate request.

> Will ARIN revert those changes, and replace the Admin POC with the new
> one,  when provided a suitable attestation by the officers of the
> organization?

If the officers are not listed POCs, how does ARIN validate that they
are, in fact, officers? How is the situation you describe above distinguishable
from ARIN's perspective from one in which:

Administrative POC remains, but the VCs that own controlling interest
have fired the entire management team (including all officers) and the
POC deletes all of the officers from the POC list as a result? At the
same time, the VCs move the nearly failed venture into new smaller
less lavish offices to conserve capital, so a change of address is also
processed by the Admin POC.

Now, the disgruntled former officers come to ARIN with an attestation
requesting that the changes be reverted in an effort to take over the
resources and cause grief to the new management team.

If you can explain how, absent a court order validating the legitimacy
of such attestation can be properly authenticated by ARIN, I'm all
ears. From my perspective, I suspect ARIN would be unable to
distinguish the two reliably without a court order. 
> 
> 
> If not, perhaps the policy in place is  not really adequate....
> 

Perhaps the policy is just fine, but some events really are beyond ARIN's
ability to identify "the right thing".


Owen