[arin-ppml] Revised - Draft Policy ARIN-2018-5: Disallow Third-party Organization Record Creation

Andrew Dul andrew.dul at quark.net
Tue Apr 2 19:59:22 EDT 2019


On 4/2/2019 4:17 PM, Jo Rhett wrote:
> On Apr 1, 2019, at 4:45 PM, Owen DeLong <owen at delong.com 
> <mailto:owen at delong.com>> wrote:
>> as it occurs to me that the following dilemma comes into play:
>>
>> I, as a contractor, often create ORG records for (and at the request 
>> of) my clients. I’m not their ISP and I’m not creating the records 
>> without their knowledge or informed consent (which is the real 
>> problem here). In fact, I only create them when I am in the process 
>> of preparing an IP and/or ASN request for them.
>
> I agree completely with everything Owen said, as I often work in the 
> same capacity.
>
> There also exists situations where a data center (or other 
> organizations) which doesn't own or provide IP assists its customers 
> with preparation of documents for self-management. Perhaps even 
> coarser, there are datacenter utilities and programs that help people 
> prepare or fill out forms. This is under the direction or express 
> action of the customer, but may be generated programatically.
>
> It's hard to read the current proposal and understand the 
> responsibilities in that context. I think we should be friendly to 
> automation opportunities for people who only interact with ARIN once 
> or twice in their organization's lifetime. (especially in the v6 era)
>
The staff assessment of this draft policy perhaps helps with the 
understanding of how ARIN staff will implement this policy.  And maybe 
will help illuminate if additional clarity is needed.

===

Draft Policy 2018-05  requires that only an authorized contact, that is 
verified by ARIN, be allowed to create new organization records. The 
request must be submitted directly to ARIN by the verified authorized 
contact and no third-parties shall be allowed to create organization 
records on behalf of the new organization.

===

The use-case of a contractor working for an organization is a valid use 
case that we need to consider in the implementation of this policy.  The 
draft policy states that "authorized contact representing an entity" can 
create org-id records.  This might be the case of an additional step to 
verify that a contractor is authorized to create a record on an 
organizations behalf.  But, I believe the text itself allows for an 
authorized "contact/contractor" to create an org-id for a specified 
organization.

Andrew


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20190402/0631c9fe/attachment-0002.html>


More information about the ARIN-PPML mailing list