An organisation object in the RIPE Database
--------------------------------------------


1. Motivation
-----------

Currently the RIPE Database stores two main types of contact
information: person and role objects.

These provide a way to contact people responsible for operations or
usage of the resources whose data is presented in the RIPE Database
(IP blocks, autonomous systems, and domain names).

However, none of these provide an easy way of mapping resources to a
particular organisation. A user looking up data must first find an
object containing information about a contact point at that
organisation and then, assuming all of that organisation's objects
refer to this contact information, perform an inverse query  on the
Database to obtain a list of objects referencing the specified person
or role.

This level of indirection can be somewhat obscure and therefore a
request for a more direct way of attaching an object to an
organisation can be seen as a useful addition to the RIPE Database.

This document is a proposal for an organisation object in the RIPE
Database and the corresponding needed database functionality.

2. The organisation object
-----------------------

The organisation object provides information identifying an
organisation such as a company, charity or university, but not an
individual, that is a holder of a network resource whose data is
stored in the RIPE Database.

The organisation object is identified by a unique name specified in
"organisation:" attribute which is the primary key.

An organisation object can be referenced from other types of objects
using an "org:" attribute. 

All objects associated with a particular organisation can be retrieved
from the Database by performing an "inverse query" for that
organisation's name (handle) in the "org:" field of Database objects.

Following is a template for the proposed organisation object and an
example. All attributes except the "ref-nfy:" and "organisation" have
their usual meanings.

organisation:  [mandatory]  [single]     [primary/look-up key]
descr:         [mandatory]  [multiple]   [ ]
remarks:       [optional]   [multiple]   [ ]
address:       [mandatory]  [multiple]   [ ]
phone:         [optional]   [multiple]   [ ]
fax-no:        [optional]   [multiple]   [ ]
e-mail:        [mandatory]  [multiple]   [look-up key]
admin-c:       [mandatory]  [multiple]   [inverse key]
tech-c:        [mandatory]  [multiple]   [inverse key]
ref-nfy:       [optional]   [multiple]   [inverse key]
notify:        [optional]   [multiple]   [inverse key]
mnt-by:        [mandatory]  [multiple]   [inverse key]
mnt-lower:     [optional]   [multiple]   [inverse key]
changed:       [mandatory]  [multiple]   [ ]
source:        [mandatory]  [single]     [ ]

3. New attributes
----------------------

"organisation:"

Specifies the name of an organisation object. An organisation name is
made up of letters, digits, the character underscore "_", and the
character hyphen "-"; it must start with "ORG-", and the last
character of a name must be a letter or a digit. Hierarchical names
are possible (see below).

"ref-nfy:"

Specifies the e-mail address to be notified when a reference to the
organisation object is added or removed.  An e-mail address as defined
in RFC 2822. [We use this functionality in the "irt-nfy:". The name of
this attribute is more neutral allowing reuse in other object types.]

"org:"

May appear in any other type of object. It points to an existing
organisation object representing the entity that holds the resource.
The value of this attribute is the name of the organisation object.
It is optional and single-valued.


4. Hierarchical names
---------------------

Names of organisation objects can also be hierarchical.  A
hierarchical name is a sequence of organisation names separated by
colons ":".

The purpose of an hierarchical name is to partition the organisation
name space so that the maintainers of the organisation ORG-X1 controls
the whole organisation name space underneath, i.e. ORG-X1:...:Xn-1.
Thus, an organisation object with name ORG-X1:...:Xn-1:Xn can only be
created by the maintainer of the object with name ORG-X1:...:Xn-1 (one
level less specific object).  That is, only the maintainer of ORG-COM1
can create an organisation with name ORG-COM1:COM1-EUROPE; and only
the maintainer of ORG-COM1:COM1-EUROPE can create an organisation with
the name ORG-COM1:COM1-EUROPE:UK.

A typical use case for hierarchical names could be a multinational
company with several subsidaries in various countries.


5. Authorisation checks
----------------------------------


5.1 Basic use
----------------------------------

When modifying an organisation object the update should pass
authorisation checks specified by one of the mntners listed in
"mnt-by:" attributes of the organisation object.

When adding an "org:" attribute to an object, the update of the object
should pass the following authorisation checks:

- from one of the mntners of the referenced organisation object
- from one of the mntner objects that protect the referencing object 


5.2 Hierarchical authentication
----------------------------------

If hierarchical name is used for an organisation object, then the
addition of an object must be authorised by an organisation object
whose key is named by everything to the left of the rightmost colon in
the name of the object being added (one level less specific object).
Authorisation is determined by first using the "mnt-lower:" mntner
reference, or if absent, using the "mnt-by:" mntner reference.

If a hierarchical name is used then deletion of the object can
authorised by the one level less specific object. Authorisation is
determined by first using the "mnt-lower:" mntner reference, or if
absent, using the "mnt-by:" mntner reference.  Note that an
organisation object that is referenced by an "org:" attribute may
still not be deleted.


6. New query functionality
--------------------------

Query flags that allow retrieval of less or more specific objects (-l,
-L, -m, -M) can be used in lookups for an organisation object with a
hierarchical name.

Without these flags an exact match is returned if found.

7. Examples
------------

A basic organisation object:

organisation: ORG-EXAMPLE
descr:        An example organisation
address:      Random St.
address:      The Netherlands
phone:        +31 123 4567
fax-no:       +31 123 4568
e-mail:       contact@example.com
admin-c:      EXAM1-RIPE
tech-c:       EXAM2-RIPE
notify:       ripe-mailbox@example.com
ref-nfy:      ripe-mailbox@example.com
mnt-by:       EXAMPLE-MNT
changed:      someguy@example.com 20030121
source:       RIPE

A network that references an organisation object:

inetnum:      192.168.86.0 - 192.168.86.255
netname:      EXAMPLE-NET-86
descr:        Sample network
org:          ORG-EXAMPLE
country:      NL
admin-c:      EXAM1-RIPE
tech-c:       EXAM2-RIPE
status:       ASSIGNED PI
mnt-by:       EXAMPLE-MNT
mnt-lower:    EXAMPLE-MNT
changed:      someguy@example.com 20030122
source:       RIPE

Hierarchical organisation usage:

organisation: ORG-EXAMPLE:RESEARCH
descr:        Research branch of example organisation
address:      Secret Court
address:      The Netherlands
e-mail:       bigbrain@example.com
admin-c:      EXAM1-RIPE
tech-c:       EXAM3-RIPE
ref-nfy:      bigbrain@example.com
mnt-by:       EXAMPLE-RESEARCH-MNT
changed:      someguy@example.com 20030121
changed:      bigbrain@example.com 20030122
source:       RIPE


Example of querying for an organisation (returns the "more specific"
organisations):

$ whois -h whois.ripe.net -M ORG-EXAMPLE
   .
   .
   .
organisation: ORG-EXAMPLE:RESEARCH
   .
   .

-----------------------------------