Hi all, There are a couple of points to be made here, and sorry for the tardiness: The policy is not introducing a revolutionary concept, as many commenters pointed out, it is basically a representation of an established internet good practice where technical/admin contacts are real channels through which pertinent communication can easily reach whomever needs to take action. It is not a "security theatre", because this is not a geopolitical discussion but rather a technical mean to make sure that the internet ecosystem is a bit more functioning. In fact, the impact analysis mentions that the RIPE NCC estimates that 10-25% of the current abuse contact emails seems to be technically incorrect, and the key aspect to take into consideration is here the technical lack of correctness of such addresses, which result in technical faults, such as for example the ultimate inability of communicating a message to the desired receiver due to a non-functioning, outdated, or misspelled mail address. The proposed policy change was drafted with this in mind, and the expectation is that it will likely increase the chance that an abuse report can be send to a working address, thus probably making a huge lot of sysadmins very happy - and not only them. This policy will not bestow upon RIPE NCC new and extraordinary powers : the extreme measure (and I'd like to underline the term extreme as ultima ratio measure) of proceeding to close an account is the very last resort, and comes as a consequence of a non-responsive behaviour during a significantly extended period of time. Internet is fast, action upon errors has to happen (understandingly fast) : a lack of care in this respect shows a lack of care for the ecosystem itself, and such behaviour should not be encouraged. Moreover, it reflects an existing process based on current policies and procedures: this particular policy change would only expose ADDITIONAL incorrect contact information to this process, as the RIPE NCC would be enabled to identify incorrect abuse contact emails proactively rather than lagging behind, acting retroactively when receiving an external report about it. On the question why only abuse-c was subject to a specific policy, the reason is due to the prominence such entry: surely a policy could extend beyond that. On the claim that abuse-c checks are useless, this is a point to strongly object: inaccurate information is detrimental to all, leads to all kind of complications which can be easily solved with keeping records straight, channels open for communication. Every member can collaborate an put forward policy proposals, and it is down to the whole membership to promote or reject the idea, not the member, as everyone is equally engaged as part of the same ecosystem. Kind regards, Hervé & Sara -----Original Message----- From: anti-abuse-wg [mailto:anti-abuse-wg-bounces@ripe.net] On Behalf Of Alexander Isavnin Sent: 17 February 2018 22:19 To: anti-abuse-wg@ripe.net Subject: Re: [anti-abuse-wg] 2017-02 Review Phase Reminder Dear Herve! On 2018-02-17 19:00:22 CET, Herve Clement wrote:
Alexander,
I'v stated my opinion and rationale - thank you for your respect. Hope WG Chair will take my opinion (stated before the end of 16 Feb) in account.
Just two things before additional answers beginning of next week: - We've already explained that there's no additional "extraordinary power" given to the RIPE NCC via this proposal: the very potential possibility of an LIR closure exists in the current policies (cf. my message dated 24th January)
I'v seen those mails. I just want to clarify - it's my beliefs (bad) against your beliefs (good). If RIPE NCC Managing director have joined this discussion, clarifying procedures of non-financial LIR closure and/or resource revocation - i would agree with you. Otherwise "very potencial possibility" might become "exactly". There is very well working procedure of non-payment closure. Unless there is exaclty well working and accepted procedure for other reasons of closure - we have to be very accurate with easily violatable policies. (I'v seen brand new RIPE-697).
- You've the right not to agree, that's something I respect. That's not a reason to judge presentations "funny" or proposals "as theater"...
Please, do not take my judgement so personal, i have reasons to not agree with this policy, which i'm explaning you here. Policy that gives no significant and actual change - is a theater. (well, "security theater" is US definition of ineffective but demonstrative activities related to security) And i have another reason for stating that. This theater already had it's pre-premiere perfomance called "Law Enforcement Engagement with the RIPE Policy Development Process": https://www.ripe.net/participate/meetings/roundtable/january-2018/pdp-rt-bru... For me it looks like "propose something, just to show that LEAs are involved in activity related to security". And about "funny" proposal presentation. Let's have some quotes: "essential part of the accountability of the RIPE community", "undermines the effectiveness of the policy", "Improving the trust and safety of the IP address space is a priority for the RIPE community","essential to ensure the efficiency","essential to establish a trusted and transparent environment" - these are so bombastic and sonorous, compared to 1 paragraph of policy change , which will actualy change nothing in abuse handling behavior, so i can't call it rather than funny. At least you had chance to pre-validate all abuse-c contacts available now in database and provide stats in policy rationale. I will change my opinion, if Europol (or any other LEA) could provide any evidence, that incorrect abuse-c: which stayed in database longer than 1 year led to something terrible like homicid. Or not so terrible, like unpaid parking, at least. Kind regards, Alexander Isavnin Sent via RIPE Forum -- https://www.ripe.net/participate/mail/forum ******************* DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it. Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated. *******************