[anti-abuse-wg] National PSDN "UZPAK"
Suresh Ramasubramanian ops.lists at gmail.com
Thu Mar 29 03:38:47 CEST 2012
On Wed, Mar 28, 2012 at 11:27 PM, Florian Weimer <fw at deneb.enyo.de> wrote: > > Can RIPE NCC rely on the UK Register of Companies to validate requests > which aim to establish a UK business as a LIR? > > SOCA seems to suggest that the answer is "no". This is disturbing. Incorporating an LLC with the address of record being a maildrop location, or even an empty lot, has traditionally taken you a few pounds and less than a day .. How or why should the registrar of companies be an authoritative source to declare anything except that "a registered company by that name exists"? In other words, there's absolutely no useful input into your IP justification process that validates that X is a genuine entity who actually needs a /20 for his new datacenter location, rather than to stuff it with botnet C&Cs or whatever. Now, if RIPE NCC were to get the RBN or whoever as a customer, they wouldn't know because they simply don't validate anything much of this sort at all, and even if they do set up some perfunctory validation like checking that the company presenting IP allocation paperwork is registered, that doesn't mean anything relevant. Andy Auld was probably not particularly diplomatic when he said this - but he was 100% correct. http://www.zdnet.co.uk/news/security-threats/2009/10/22/soca-russian-cyber-gang-bribed-police-39825939/ "RBN paid Ripe for services," said Auld. "If we were being harsh, we could say that Ripe has received criminal funds and was involved in money-laundering offences. We are not treating it that way, but you could see it like that." "....to which RIPE NCC pointed out that RBN passed a set of checklists."Our checklists include the provision of proof that a prospective LIR has the necessary legal documentation, which proves that a business is bona fide." Now, it is great that you don't like analogies about the banking industry, and don't work in the banking industry (I don't either, but what I did was to phone my bank manager and ask him what'd happen if such a situation arose). Because you see, if this had happened with our putative bank manager, he'd have been arrested for money laundering and the bank would be facing some fairly extensive audits from the banking regulator, getting its records subpoena'd by the police etc -- Suresh Ramasubramanian (ops.lists at gmail.com) -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://www.ripe.net/ripe/mail/archives/anti-abuse-wg/attachments/20120329/c4a2233f/attachment.html>