Am 31.05.22 um 15:12 schrieb denis walker:

> Colleagues
>
> I have raised an issue on the DB WG mailing list about publishing in
> the database the identity of natural persons holding resources.

Hi, this mail triggered the expected avalanche of controversial responses, which quickly devolved into name-calling, so
I prefer to respond to the original instead of any of the later responses.

There are conflicting interests at work here. In your proposal, you mention the need to contact resource owners, which
is probably accepted by most.

However, besides wanting to contact someone, there is a legitimate need to identify bad actors and shun them with
whatever means at your disposal (SpamAssassin rules, IP blocks, nullroutes, whatever). I do not want to communicate with
them, just as I don't want to discuss with burglars about their actions!

So, a mere contact database (which could contain fully anonymized forwarding addresses through a "privacy provider",
like it's nowadays common for whois entries) would work for the purpose of contacting someone, but it does not work for
identifying who can be held accountable for abuse emitted from a network range.

For resources allocated to legal entities (companies, organizations, etc.) an identification of the organization should
be mandatory. This does not need to include personal data on employees that happen to be responsible for network or
abuse issues, I'm fine with role accounts here. So in this case, no objection to eliminate personal data (which often
becomes stale anyway after some years).

However, resources allocated to private persons are a bit different. I suppose very few private persons hold a /24
network range, and if they do, they probably fall squarely in the area of operating a business or other publicly visible
enterprise under their personal name, and in many jurisdictions they are required to do so with identifying information.
For example, in Germany you can't even have a web page without an imprint containing the names of people responsible for
the content if you address the general public, and if you do business of any kind and you're not a corporation, you must
do so under your name.

I suppose that RIPE operates mostly on the level of legal entities that can be identified without naming individual
persons. As such, it would be proper to clearly state that every database entry pertaining to a resource allocated
through RIPE must contain truthful and usable identifying information of the resource holder. In German, that's
"Ladungsfähige Anschrift" which was basically required to be an actual place of presence, but it appears that "virtual
office" providers have succeeded in letting their addresses count as "Ladungsfähige Anschrift". I'm not a legal expert,
I think this is wrong, but jurisprudence isn't always compatible with reason.

Since RIPE isn't bound by German law, they may choose contractual wording that provides reasonable value for all parties
involved. If all identifying information is lost, the abusers have won, as they have with domain whois already.

Cheers,
Hans-Martin

--

To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg