[arin-ppml] Draft Policy ARIN-2022-3: Remove Officer Attestation Requirement for 8.5.5

Thu Jun 23 15:08:09 EDT 2022

Thank you Owen for your response.

This is a reasonable point. I agree that some explicit accountability is
achieved through attestation. I do wonder whether this too may be
redundant. For instance, do other legal artifacts - especially RSA -
provide enough of a framework for accountability to combat fraud?

Certainly that is not a question I would expect the community to answer,
since this is rather in the purview of staff.

Regards,
Matthew

On Thu., Jun. 23, 2022, 11:49 a.m. Owen DeLong, <owen at delong.com> wrote:

>
>
> On Jun 23, 2022, at 09:06 , Matthew Wilder <matthew.wilder at telus.com>
> wrote:
>
> Hi Noah, et al.
>
> It appears that a few of you are not convinced of the problem statement
> for this Draft policy. Just a reminder this is a draft policy authored by
> the Policy Experience Working Group, to solve a customer experience problem
> identified by staff. Also, taking off my AC hat and putting on my day job
> hat for a moment - I can assure you that if you are at an organization of
> significant scale and complexity - this is indeed a real problem. In the
> case of qualification for transfers (8.5.5) this is a redundant step, in
> practice, since significant sums of money must be approved by executives in
> order to execute transfers.
>
>
> It’s not entirely redundant… The significant sums approval doesn’t provide
> the necessary nexus of evidence for ARIN to hold the officers accountable
> in the event of resource fraud.
>
> Companies often escape prosecution by throwing lower level employees under
> the bus and claiming officers had no knowledge of the action in question.
>
> This step prevents that from occurring in the case of ARIN resource fraud.
>
> So yes, while I have some limited sympathy to the problem statement, I am
> in fact unconvinced that the problem requires a solution or that the
> current state imposes an unnecessary burden.
>
> Swapping back to my AC hat now. To my mind, the introduction of officer
> attestations generally helped achieve two positive outcomes. First, it
> supported the principle of conservation. Second, it reduced the opportunity
> for fraud. There may be other benefits obtained by the requirement for
> officer attestation, and I am open to hearing everyone's perspective on
> this.
>
>
> In my opinion it never really did much for the latter, and I’m not
> convinced it did much for the former, either.
>
> From my perspective it has always been about ensuring accountability and
> making sure that an accountable corporate officer (section 16 where
> applicable or equivalent elsewhere) is accountable for the actions of the
> company with regard to ARIN resource registrations. I think that’s still a
> valid need.
>
> This draft policy would do away with the need for officer attestation for
> justification of transfers, but only because the market provides the same
> benefits mentioned above. Would-be fraudsters on the transfer market would
> now face significant cost to execute a transfer, and presumably, an
> organization operating in bad faith could easily provide officer
> attestation. Similarly, documentation of an overly-optimistic plan -
> securing more resources than realistically needed - will mean a higher cost
> to the organization bankrolling the transfer. As a result, the individuals
> accountable for the organization's decisions are well aware of - and
> implicitly supportive of - the plan. An officer attestation is therefore
> redundant in both cases.
>
>
> If I agreed with your understanding of the benefits of attestation, then
> I’d probably agree about the market providing equivalent benefits. However,
> as pointed out above, the market does NOT provide the benefit of
> accountability and therefore, I think that it is still quite necessary and
> does protect the interests of ARIN and the community.
>
>
> To Noah and others who have voiced opposition - let me know if you see a
> case where the officer attestation in 8.5.5 protects the interests of ARIN
> and the community.
>
>
> Yes… See above.
>
> Owen
>
>
> Best regards,
> Matthew
>
>
>
> On Tue, Jun 21, 2022 at 9:15 PM Noah <noah at neo.co.tz> wrote:
>
>>
>>
>> On Wed, 22 Jun 2022, 04:56 ARIN, <info at arin.net> wrote:
>>
>>> On 16 June 2022, the ARIN Advisory Council (AC) accepted "ARIN-prop-309:
>>> Remove Officer Attestation Requirement for 8.5.5" as a Draft Policy.
>>>
>>> Draft Policy ARIN-2022-3: Remove officer attestation requirement for
>>> 8.5.5
>>>
>>> Problem Statement:
>>>
>>> Requiring an officer attestation requires unnecessary resources and
>>> increases the time to complete an IPv4 transfer.
>>>
>>>
>>>
>>> Policy statement:
>>>
>>>
>>>
>>> 8.5.5. Block Size
>>>
>>>
>>>
>>> Organizations may qualify for the transfer of a larger initial block, or
>>> an additional block, by providing documentation to ARIN which details the
>>> use of at least 50% of the requested IPv4 block size within 24 months.
>>>
>>>
>>>
>>> Removing “An officer of the organization shall attest to the
>>> documentation provided to ARIN.
>>>
>> Using time as an excuse does not fly. Attestation is accountability and
>> enforces legitimacy.
>>
>> An authorized officer should not only be aware but MUST also be involved
>> in attesting of documents that involve any Internet Number Resources
>> transfers.
>>
>> We have experienced fast hand on the negative impact of Admin Contacts
>> being clueless to what its that Tech contacts do.
>>
>> So I oppose the policy for using time as an excuse to remove an important
>> process that ensures legitimacy.
>>
>> Noah
>>
>> _______________________________________________
>> ARIN-PPML
>> You are receiving this message because you are subscribed to
>> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
>> Unsubscribe or manage your mailing list subscription at:
>> https://lists.arin.net/mailman/listinfo/arin-ppml
>> Please contact info at arin.net if you experience any issues.
>>
>
>
> --
>
> *Matthew Wilder*
>
> Sr Engineer - IPv6, IP Address Management
> _______________________________________________
> ARIN-PPML
> You are receiving this message because you are subscribed to
> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-ppml
> Please contact info at arin.net if you experience any issues.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20220623/2c81f195/attachment.htm>