I think that one entity's CSAM-hosting bullet-proof provider is another entities ransomware-proof business continuity system. Also thinking about the IETF DIEM WG problem. Andrew Campling <andrew.campling@419.consulting> wrote: > In my view, extending effective KYC processes across the ecosystem will > add friction, making the life of malicious actors more difficult. KYC for ASN and IPv6 address blocks would seem to be a much different situation than FQDNs. Unmonitored email addresses are a scourge across all sorts of operators. Fake ones are a different kettle of fish to me. At one point I heard about a SIP-based project where, with the right configuration on my SIP proxy, I could pick a phone, dial an *ASN*, and get connected to operations for that ISP... That was 15+ years ago, I think. I certainly never got that working, and I've no idea if it was real. What I liked about it is that it provided a sort of secret-decoder ring bypass so that one legitimate operator could reach another one quickly. While I don't know if voice-by-ASN is a good thing, a way to verify emails from one operator (including, the RIR itself) to another operator seems like a good thing. This is where I'd prefer that RIPE go. There are many ways to envision such a thing: from rebooting PGP-web-of-trust key-signing parties at RIR meetings, to having a RIR-operated walled-garden email+IMAP server. (i.e., email as26227@asemail.arin.net, but only via ARIN, RIPE, LACNIC, AFRINIC or APNIC's SMTP submit port. Port-25 is not open) And a dozen intermediate concepts. To using something that isn't SMTP. The carrot is that one can send more reliable reports, and receive reports without dealing with untraceable spam. The stick is that you'd lose your resource if you didn't monitor it. -- Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide