From alexb at ripe.net Sun Oct 3 19:08:33 2010 From: alexb at ripe.net (Alex Band) Date: Sun, 3 Oct 2010 19:08:33 +0200 Subject: [ncc-services-wg] RPKI Resource Certification: building features Message-ID: Most of the discussions around RPKI Resource Certification that have been held up to now have largely revolved around infrastructure and policy topics. I would like to move away from that here and discuss what kind of value and which features can be offered with Certification for network administrators around the world. Because in the end, the goal is to make Internet routing more robust and create a more reliable method for network operators to make routing decisions. We all know about the shortcomings of the IRR system and that just half of all prefixes on the Internet have a route object associated with them (http://bgpmon.net/blog/?p=140). However, it does mean that there is ton of valuable information in the IRRs, whereas the Certification system needs to start from scratch. Based on many discussion I've had with members and the Community, here is my idea for a Route Origin Authorisation** (ROA) wizard that retrieves IRR information, compares it to real world routing and uses that for the creation of ROA Specifications. This has a number of benefits: - Network operators don't have to create their routing policy in the Certification system from scratch - Because a comparison between is done the IRR and RIS (http://ripe.net/ris/), only accurate up-to-date information is added to the Certification system - The accuracy of the IRR is increased as a bonus, and is achieved without leaving the wizard Ideally, a network operator should be able to manage and publish their routing policy ? both for the IRR and Certification ? from one single interface. Here are the basic steps for the wizard after a certificate is generated: 1. Start ROA Wizard 2. Detect IRR information using the AS numbers in the Certificate, like for example: http://www.db.ripe.net/whois?searchtext=AS286&inverse_attributes=origin&form_type=simple 3: Compare results with RIS using RRCC/Netsense, like for example: http://www.ris.ripe.net/cgi-bin/rrccng/query.cgi?target=AS286 4: Allow user to flag which ROA specifications they would actually like to create, based on the IRR and RRCC/Netsense results. 5: Allow user to create additional ROA Specifications 6: Detect which maintainer is used for the route objects in the IRR 7: Allow user to specify maintainer password/pgp key, so all route objects are updated/removed/added based on the ROAs that were created. This makes sure the data in the IRR and the Certification system is consistent. 8: Save and publish ROAs and route objects Do you think there is value in creating a system like this? Are there any glaring holes that I missed, or something that could be added? I'm looking forward to your feedback. Alex Band RIPE NCC http://ripe.net/certification ** The certification system largely revolves around three main elements: (1) the Certificate, that offers validated proof of holdership of an Internet Resource, (2) the Route Orgin Authorisation Object (ROA), a standardised document that states that the holder of a certain prefix authorises a particular AS to announce that prefix and (3) the Validator, which relying parties, i.e. your peers, can use to validate certificates and ROAs. From alexb at ripe.net Mon Oct 4 10:29:50 2010 From: alexb at ripe.net (Alex Band) Date: Mon, 4 Oct 2010 10:29:50 +0200 (CEST) Subject: [ncc-services-wg] RPKI Resource Certification: building features In-Reply-To: <76B62F3C-730C-4E20-A83B-5AFD41A851A7@delong.com> References: <76B62F3C-730C-4E20-A83B-5AFD41A851A7@delong.com> Message-ID: <56603.2001:67c:2e8:13:223:6cff:fe97:77dc.1286180990.squirrel@webmail.ripe.net> On Mon, October 4, 2010 04:38, Owen DeLong wrote: > > On Oct 3, 2010, at 7:26 PM, Randy Bush wrote: > >>> Do you think there is value in creating a system like this? >> >> yes. though, given issues of errors and deliberate falsifications, i am >> not entirely comfortable with the whois/bgp combo being considered >> formally authoritative. but we have to do something. But blindly considering whois/BGP authoritative is not what I am proposing. I want to confront the network operator with what is registered in the IRR and what is seen in BGP, and let the human element make decisions and corrections, improving data quality in the process. >>> Are there any glaring holes that I missed >> >> yes. the operator should be able to hold the private key to their >> certificate(s) or the meaning of 'private key' and the security >> structure of the [ripe part of the] rpki is a broken. >> >> randy In the hosted implementation the RIPE NCC currently has, only a registered contact for an LIR with whom we have a business relationship has access to the secured LIR Portal in which the Certification system is embedded. The reason to offer a hosted system initially, is to take away the burden from an LIR of having to run their own Certificate Authority. We offer a service that makes the entry barrier for Certification as low as possible. Properly running your own CA, with all the crypto aspects, is no small feat for a lot of LIRs (technically, but perhaps more psychologically). You may argue that it's easy and cheap to do yourself, but just look at adoption rates and levels of IPv6 and DNSSEC *at an LIR level* to see what reality is like. After the production launch on 1 January 2011, the next step we will take is to implement the up/down protocol, allowing people to run their own Certificate Authority if they choose to do so. We plan to roll this out in the first half of 2011. We'll go one step further by having our software certified by an external independent company, and releasing it as open source to the Community, so they can be sure they adopt a robust system if they choose our package. So in the end our implementation is not 'broken' as you say, it is in he middle of a planned, phased approach. Not everything is possible yet and that is a deliberate decision. > I'll go a step further and say that the resource holder should be > the ONLY holder of the private key for their resources. > > Owen If you're saying that ISPs can only participate in an RPKI scheme if they run their own Certificate Authority, then I think that would practically ruin the chances of Certification actually ever taking off on a large scale. -Alex From owen at delong.com Mon Oct 4 11:59:53 2010 From: owen at delong.com (Owen DeLong) Date: Mon, 4 Oct 2010 02:59:53 -0700 Subject: [ncc-services-wg] RPKI Resource Certification: building features In-Reply-To: <56603.2001:67c:2e8:13:223:6cff:fe97:77dc.1286180990.squirrel@webmail.ripe.net> References: <76B62F3C-730C-4E20-A83B-5AFD41A851A7@delong.com> <56603.2001:67c:2e8:13:223:6cff:fe97:77dc.1286180990.squirrel@webmail.ripe.net> Message-ID: > >> I'll go a step further and say that the resource holder should be >> the ONLY holder of the private key for their resources. >> >> Owen > > If you're saying that ISPs can only participate in an RPKI scheme if they > run their own Certificate Authority, then I think that would practically > ruin the chances of Certification actually ever taking off on a large > scale. > > -Alex No... I'm saying that if ISPs aren't the only entities that hold their private keys, then they aren't the only entities that can sign their resources. If you choose to delegate the CA role for signing your resources to someone else, then, obviously, you have to give them a valid private key with which to sign those resources. However, in doing that, you've created a situation where your signature is now much easier to forge. Kind of like automatic signing machines for checks. Benefit: The accounting department can sign thousands of checks and the CFO doesn't have to. Draw-back... The accounting department can sign thousands of checks without the CFO knowing they did so. Owen From tim at ripe.net Mon Oct 4 13:39:51 2010 From: tim at ripe.net (Tim Bruijnzeels) Date: Mon, 04 Oct 2010 13:39:51 +0200 Subject: [ncc-services-wg] RPKI Resource Certification: building features In-Reply-To: References: <76B62F3C-730C-4E20-A83B-5AFD41A851A7@delong.com> <56603.2001:67c:2e8:13:223:6cff:fe97:77dc.1286180990.squirrel@webmail.ripe.net> Message-ID: <4CA9BD07.9020901@ripe.net> Hi, as one of the main developers of the RIPE NCC implementation I would like to give some answers to the questions raised by Owen. On 10/4/10 11:59 AM, Owen DeLong wrote: >> >>> I'll go a step further and say that the resource holder should be >>> the ONLY holder of the private key for their resources. >>> >>> Owen >> >> If you're saying that ISPs can only participate in an RPKI scheme if they >> run their own Certificate Authority, then I think that would practically >> ruin the chances of Certification actually ever taking off on a large >> scale. >> >> -Alex > > No... I'm saying that if ISPs aren't the only entities that hold their > private keys, then they aren't the only entities that can sign their > resources. The hosted system that we created uses Hardware Signing Modules (HSM) for generating keys and signing operations. By design it is impossible to retrieve the private keys. Any process or feature that would involve the transferral of keys cannot be implemented. Access to the *use* of the keys is a different thing though. This is controlled by the software. Although we cannot extract the keys, we can instruct the HSM to create a new key, or use an existing key to sign something. Our hosted software controls all (activated) hosted member certificate authorities. The process has potential access to the *use* of *all* keys in the system. However, other security layers are implemented to ensure that for a given LIR only those users that have the 'certification' group enabled are *authorised* to use the hosted system -- and thereby the applicable keys. > > If you choose to delegate the CA role for signing your resources > to someone else, then, obviously, you have to give them a valid > private key with which to sign those resources. > Given this setup a member can authorise any person to use the system by creating an LIR Portal account for them and enabling the certification group. Only the LIR's admin user can do this. > However, in doing that, you've created a situation where your > signature is now much easier to forge. Kind of like automatic > signing machines for checks. Benefit: The accounting department > can sign thousands of checks and the CFO doesn't have to. > Draw-back... The accounting department can sign thousands of > checks without the CFO knowing they did so. > The current system has an audit history page that shows all the commands executed by users. It includes details like the name of the user, the time of the change and further details: e.g. in case of the modification of a ROA specification the complete new specification is visible in the history. There is currently no additional notification mechanism implemented but that would be fairly trivial to add if there is a demand. Non-hosted: ===== Of course we put a lot of effort into maintaining security and quality of the implementation we built. But we can well imagine that for some people it is a matter of principle that they want full local access to their own private keys and important configuration objects such as ROAs -- and don't want to be hosted on a shared system outside of their control. Other members may not mind so much about this and choose to trust and use the hosted services. There is standard that is close to completion in the SIDR WG in the IETF that defines a protocol by which a parent and child Certificate Authority can communicate. http://tools.ietf.org/html/draft-ietf-sidr-rescerts-provisioning-06 In our case the RIPE NCC system could function as the parent CA for a non-hosted LIR child CA. The LIR can then deploy anything they see fit themselves. They would have full access to their own private keys and everything else in their system and can delegate as they see fit. And add new features of course. But.. 1) We have not implemented support for this yet. We plan to go live with the fully hosted version first and extend it with support for non-hosted systems around Q2/Q3 2011. 2) It can take considerable effort for LIRs to set up their own non-hosted solution from scratch. We know that ISC is developing an open source solution (rpkid) that may be useful for LIRs that want to run their own instance. From our side we will make sure that we test interoperation with this system when we implement this protocol in our system. Randy Bush who is cc-ed may be able to provide some more insight in the features offered by the ISC rpkid. I don't know whether the features mentioned by Alex in his first message will be supported by this system. Regards Tim Bruijnzeels RIPE NCC > Owen > From owen at delong.com Mon Oct 4 14:03:26 2010 From: owen at delong.com (Owen DeLong) Date: Mon, 4 Oct 2010 05:03:26 -0700 Subject: [ncc-services-wg] RPKI Resource Certification: building features In-Reply-To: <4CA9BD07.9020901@ripe.net> References: <76B62F3C-730C-4E20-A83B-5AFD41A851A7@delong.com> <56603.2001:67c:2e8:13:223:6cff:fe97:77dc.1286180990.squirrel@webmail.ripe.net> <4CA9BD07.9020901@ripe.net> Message-ID: <1AF7E02F-3EA0-4DBB-AF53-D87210996928@delong.com> >> >> No... I'm saying that if ISPs aren't the only entities that hold their >> private keys, then they aren't the only entities that can sign their >> resources. > > The hosted system that we created uses Hardware Signing Modules (HSM) > for generating keys and signing operations. By design it is impossible > to retrieve the private keys. Any process or feature that would involve > the transferral of keys cannot be implemented. > In other words, not only do you hold the resource holders private key, but, they do not. This means that the ability to sign their resources is 100% under your control and 0% under their control except to the extent that you allow it. While I'm not accusing RIPE of nefarious conduct and do not believe that there is any malicious intent in the system, I do believe that it is a security model that any rational provider would likely consider untenable. The fact that you cannot retrieve the key is of little relevance, since you have full use of the key without retrieving it. > Access to the *use* of the keys is a different thing though. This is > controlled by the software. Although we cannot extract the keys, we can > instruct the HSM to create a new key, or use an existing key to sign > something. > Exactly... > Our hosted software controls all (activated) hosted member certificate > authorities. The process has potential access to the *use* of *all* keys > in the system. However, other security layers are implemented to ensure > that for a given LIR only those users that have the 'certification' > group enabled are *authorised* to use the hosted system -- and thereby > the applicable keys. > But by the very nature, the administrators of the system have the ability to make themselves members of the certification group. While I'm not saying that I think RIPE would do such a thing, the reality is that using this hosted solution is placing a tremendous amount of trust in the system and the administrators of the system. I have no problem with LIRs that choose to do this, so long as they are making an informed decision and understand the risks. I think the risks have been substantially down-played. >> >> If you choose to delegate the CA role for signing your resources >> to someone else, then, obviously, you have to give them a valid >> private key with which to sign those resources. >> > > > Given this setup a member can authorise any person to use the system by > creating an LIR Portal account for them and enabling the certification > group. Only the LIR's admin user can do this. > Really? There's no way for any member of RIPE staff to make corrections to an LIR's admin account such that it would be possible to bypass this? I tend to doubt that any sustainable system could be built in such a manner. Again, I am not accusing RIPE of doing so, but, pointing out that for such a hosted solution to remain functional over time, there must be certain compromises in the trust model. These compromises should at least give one pause and be carefully considered prior to handing over that level of trust. >> However, in doing that, you've created a situation where your >> signature is now much easier to forge. Kind of like automatic >> signing machines for checks. Benefit: The accounting department >> can sign thousands of checks and the CFO doesn't have to. >> Draw-back... The accounting department can sign thousands of >> checks without the CFO knowing they did so. >> > > The current system has an audit history page that shows all the commands > executed by users. It includes details like the name of the user, the > time of the change and further details: e.g. in case of the modification > of a ROA specification the complete new specification is visible in the > history. > So at least if someone does something horrible, assuming the system integrity is not compromised in the process, we can tell what happened and either who did it, or, at least who they chose to impersonate. That's good, but, by itself it is not enough. > There is currently no additional notification mechanism implemented but > that would be fairly trivial to add if there is a demand. > That would be a good additional safety feature. > > Non-hosted: > ===== > > Of course we put a lot of effort into maintaining security and quality > of the implementation we built. But we can well imagine that for some > people it is a matter of principle that they want full local access to > their own private keys and important configuration objects such as ROAs > -- and don't want to be hosted on a shared system outside of their > control. Other members may not mind so much about this and choose to > trust and use the hosted services. > Exactly my point... Such a choice should be an informed decision and if it is not a matter of choice made by the organization holding the resource (as is currently the case), then, there are issues. > There is standard that is close to completion in the SIDR WG in the IETF > that defines a protocol by which a parent and child Certificate > Authority can communicate. > > http://tools.ietf.org/html/draft-ietf-sidr-rescerts-provisioning-06 > Which is a major step forward in this area. > In our case the RIPE NCC system could function as the parent CA for a > non-hosted LIR child CA. The LIR can then deploy anything they see fit > themselves. They would have full access to their own private keys and > everything else in their system and can delegate as they see fit. And > add new features of course. > Another alternative in the meantime would be for the resource holder to maintain their private key and have transactions accomplished through a CSR process, but, obviously, this comes with a different set of tradeoffs, not the least of which is a certain amount of manual and mechanical complexity. > But.. > 1) We have not implemented support for this yet. We plan to go live with > the fully hosted version first and extend it with support for non-hosted > systems around Q2/Q3 2011. > > 2) It can take considerable effort for LIRs to set up their own > non-hosted solution from scratch. We know that ISC is developing an open > source solution (rpkid) that may be useful for LIRs that want to run > their own instance. From our side we will make sure that we test > interoperation with this system when we implement this protocol in our > system. > I think that's a good plan. However, Randy's criticisms of the hosted solution are not without merit. While I am glad to see that the RIPE hosted solution is not such a scheme, my comments were based on the fact that other schemes I have seen for other certificate systems involved the user holding their private key after it was given to them by the hosted system. Such a system would obviously the worst of all worlds from a security standpoint. Owen From randy at psg.com Mon Oct 4 23:18:29 2010 From: randy at psg.com (Randy Bush) Date: Tue, 05 Oct 2010 06:18:29 +0900 Subject: [ncc-services-wg] RPKI Resource Certification: building features In-Reply-To: <4CA9BD07.9020901@ripe.net> References: <76B62F3C-730C-4E20-A83B-5AFD41A851A7@delong.com> Message-ID: > 1) We have not implemented support for this yet. We plan to go live > with the fully hosted version first and extend it with support for > non-hosted systems around Q2/Q3 2011. this is a significant slip from the 1q11 we were told in prague. care to explain. > Randy Bush who is cc-ed may be able to provide some more insight in > the features offered by the ISC rpkid. I don't know whether the > features mentioned by Alex in his first message will be supported by > this system. calling it isc's is a bit incorrect, but no difference. it is an open source, bsd license, i.e. free as in free, implementation of all of the rpki protocols, provisioning, up/down, publication, relying party, proto-gui to manage your resources, ... the full monty. it has been operational in a testbed with isp players from asia, the states, europe, ... for some time. randy From alexb at ripe.net Tue Oct 5 10:51:04 2010 From: alexb at ripe.net (Alex Band) Date: Tue, 5 Oct 2010 10:51:04 +0200 Subject: [ncc-services-wg] RPKI Resource Certification: building features In-Reply-To: References: <76B62F3C-730C-4E20-A83B-5AFD41A851A7@delong.com> Message-ID: <253F6328-8289-4D2B-9847-5E00D5E1FC38@ripe.net> On 4 Oct 2010, at 23:18, Randy Bush wrote: >> 1) We have not implemented support for this yet. We plan to go live >> with the fully hosted version first and extend it with support for >> non-hosted systems around Q2/Q3 2011. > > this is a significant slip from the 1q11 we were told in prague. care > to explain. Let me run you through the roadmap and the motivation for our choices at RIPE61. In short, everything we do is about providing *value* for our membership and the community. This means that with the resources we have, we have to make a choice between (1) offering a solution with every feature under the sun, but contains little value and usability or (2) we choose to do a phased approach where the entry barrier into the system is low, hassle is taken away from the operator, value and user-friendlyness is high while still being standards compliant and keeping the operator in the driver's seat. Soon we'll get to the full package where all options, like running your own CA, are available. It perhaps just isn't done in the order that a purist would like to see. Let me illustrate with two examples: I've delivered full day training courses on Routing Registry and DNSSEC. With the RR course, by the time I was done explaining how to use the IRRToolset to aid in making routing decisions based on the IRR, people had given up and decided that doing it manually was easier. Like you said at RIPE60: "people are voting with their feet." In the DNSSEC training, by the time I was done explaining how to do a manual key roll-over, most LIRs decided 'this is not for me, the cure is worse than the disease'. This is why I want to get back to my original point, Randy. You agreed in your first reply to me that something has to be done to create an easy way to get started with the system. We can provide a full, standards-compliant solution with up/down and every other feature, but how is that going to get all ~350,000 prefixes and ~35,000 ASs into the system with ROAs? Manually? I proposed an IRR+BGP import system as a value-added tool to help a network operator get started making ROAs. That's a pretty good starting point. Where do you suggest we go from here? Of course I appreciate everyone else's response to this thread as well! :) Cheers, -Alex From randy at psg.com Tue Oct 5 13:10:46 2010 From: randy at psg.com (Randy Bush) Date: Tue, 05 Oct 2010 20:10:46 +0900 Subject: [ncc-services-wg] RPKI Resource Certification: building features In-Reply-To: <253F6328-8289-4D2B-9847-5E00D5E1FC38@ripe.net> References: <76B62F3C-730C-4E20-A83B-5AFD41A851A7@delong.com> <253F6328-8289-4D2B-9847-5E00D5E1FC38@ripe.net> Message-ID: alex, i am not gonna argue with you. 96% of your users will be happy for you to do everything for them, despite the fact that the wrong holder has the keys (and, as john says, the liability). but 96% of your address space, i.e. the large holders, will want to hold their own keys and talk up/down to you and deal with publication points. kinda like the irr. so write back when you have done the full job. randy From BSanghani at relianceglobalcom.com Wed Oct 6 12:15:06 2010 From: BSanghani at relianceglobalcom.com (Bijal Sanghani) Date: Wed, 6 Oct 2010 11:15:06 +0100 Subject: [ncc-services-wg] Call For Agenda Items RIPE 61 Message-ID: <891E52B6F6F62E4F9376CAA357C17C1580970C30@LON-MBX01.RGCOM.COM> Dear NCC-Services WG, RIPE 61 in Rome is approaching fast and we are looking at putting the agenda together for the NCC Services WG. This is your opportunity to let the RIPE NCC know what you want from them, if you would like to suggest a presentation or raise a topic for discussion please let me know. Kind regards, Bijal Sanghani RIPE NCC Services WG Co-Chair The information contained in this e-mail message is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you should return it to the sender immediately. Please note that while we scan all e-mails for viruses we cannot guarantee that any e-mail is virus-free and accept no liability for any damage caused by any virus transmitted by this email. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mir at ripe.net Mon Oct 11 09:37:18 2010 From: mir at ripe.net (Mirjam Kuehne) Date: Mon, 11 Oct 2010 09:37:18 +0200 Subject: [ncc-services-wg] Active Measurements Network - Call for Sponsors Message-ID: <4CB2BEAE.9050207@ripe.net> [Apologies for duplicate emails] Dear colleagues, The next article in the Active Measurements series has been published on RIPE Labs: Wanted: Partners to Sponsor "RIPE Atlas" Effort http://labs.ripe.net/Members/dfk/active-measurements-sponsorship It describes sponsorship benefits, but also some more details about the measurement network, including a time line. Please also note the three related articles published earlier: - Active Measurements Need More Vantage Points https://labs.ripe.net/Members/dfk/active-measurements-need-more-vantage-points - Active Measurements - A Small Probe https://labs.ripe.net/Members/dfk/a-small-probe-for-active-measurements?searchterm=Active - Active Measurements - Hosting a Probe https://labs.ripe.net/Members/dfk/active_measurements/hosting-a-probe-for-active-measurements Kind Regards, Mirjam Kuehne https://labs.ripe.net From denis at ripe.net Wed Oct 13 16:50:17 2010 From: denis at ripe.net (Denis Walker) Date: Wed, 13 Oct 2010 16:50:17 +0200 Subject: [ncc-services-wg] Mandatory maintainer on PERSON and ROLE objects Message-ID: <4CB5C729.9010900@ripe.net> [Apologies for duplicate emails] Dear Colleagues Some time ago, the RIPE Data Protection Task Force recommended that all RIPE Database objects should have a mandatory "mnt-by:" attribute. This is to prevent easy corruption of data, either accidentally or maliciously. There were three object types where this attribute was optional. DOMAIN objects have already been changed to make this attribute mandatory. The RIPE NCC is now ready to deploy mandatory "mnt-by:" attributes on PERSON and ROLE objects. A test server was made available in February with this feature. Details can be found in the mail archive at: http://www.ripe.net/ripe/maillists/archives/db-wg/2010/msg00084.html This feature will be deployed during the week commencing 18 October 2010. Initially, the only impact on maintainers of data in the RIPE Database will be when PERSON or ROLE objects are created or modified. These operations will fail if the data is not maintained. Additional warning messages will be generated when other objects are modified that reference unmaintained data. These warnings will not cause any database operations to fail. For new users of the RIPE Database, there is a start-up application to create the first pair of PERSON/MNTNER objects available at: http://apps.db.ripe.net/startup/ This is now the only way to create the first set of data objects in the RIPE Database. Note the URL is different to the one in the mail archive message above. Regards Denis Walker Business Analyst RIPE NCC Database Group From mir at ripe.net Fri Oct 15 12:28:26 2010 From: mir at ripe.net (Mirjam Kuehne) Date: Fri, 15 Oct 2010 12:28:26 +0200 Subject: [ncc-services-wg] New Resource Certification Message-ID: <4CB82CCA.1070206@ripe.net> [Apologies for duplicate emails] Dear colleagues, We just announced a new release of the RIPE NCC Resource Certification system. We are gearing up for the production release on 1 January 2011 and have implemented some critical changes and new features. Please find more details on RIPE Labs: http://labs.ripe.net/Members/AlexBand/new-release-of-the-resource-certification-system If you have any comments or questions, please do not hesitate to leave them under the article. Kind Regards, Mirjam Kuehne RIPE Labs From shahin at admins.ir Tue Oct 19 18:33:00 2010 From: shahin at admins.ir (Shahin Gharghi) Date: Tue, 19 Oct 2010 20:03:00 +0330 Subject: [ncc-services-wg] Optimize to be new LIR progress Message-ID: Dear Ripe NCC I am a LIR maintainer. I have a suggestion for you. would you make a checklist for peoples who are new to ripe and LIR? I mean make a checklist for all steps to be a LIR. from A to Z for example: 1. fill the First form 2. receive a mail 3. sign the papers 4. ... 5. ... 6. request a PA - by email: - by webupdate - by wizard 20. ... 21. set the IPs on your machines I guess its better to understand for newbies. because they can see all of steps at first. and second suggestion: you can choose self candidate from old LIRs. and put their contact details on your website. and new users can talk to him in native language. It's allow users to exchange their experiences together. Thank you. -- Best Regards. Shahin Gharghi www.PersianAdmins.com www.Gharghi.ir Cell : +98 917 3009177 -------------- next part -------------- An HTML attachment was scrubbed... URL: From michiel at klaver.it Tue Oct 19 19:19:53 2010 From: michiel at klaver.it (Michiel Klaver) Date: Tue, 19 Oct 2010 19:19:53 +0200 Subject: [ncc-services-wg] Optimize to be new LIR progress In-Reply-To: References: Message-ID: <4CBDD339.2080608@klaver.it> Hi Shahin, there is already a list of present LIRs available with contact information here: http://ripe.net/membership/indices/ With kind regards, Michiel Klaver IT Professional Op 19-10-2010 18:33, Shahin Gharghi schreef: > > Dear Ripe NCC > > I am a LIR maintainer. > I have a suggestion for you. > would you make a checklist for peoples who are new to ripe and LIR? > I mean make a checklist for all steps to be a LIR. from A to Z > for example: > > 1. fill the First form > 2. receive a mail > 3. sign the papers > 4. ... > 5. ... > 6. request a PA > > o by email: > o by webupdate > o by wizard > > 20. ... > 21. set the IPs on your machines > > I guess its better to understand for newbies. because they can see all of > steps at first. > > > and second suggestion: > > you can choose self candidate from old LIRs. and put their contact details > on your website. and new users can talk to him in native language. > It's allow users to exchange their experiences together. > > Thank you. > -- > Best Regards. > Shahin Gharghi > www.PersianAdmins.com > www.Gharghi.ir > Cell : +98 917 3009177 From wolfgang.tremmel at de-cix.net Wed Oct 20 09:35:26 2010 From: wolfgang.tremmel at de-cix.net (Wolfgang Tremmel) Date: Wed, 20 Oct 2010 09:35:26 +0200 Subject: [ncc-services-wg] Optimize to be new LIR progress In-Reply-To: References: Message-ID: <4CBE9BBE.8010700@de-cix.net> Hello, On 19.10.10 18:33, Shahin Gharghi wrote: > > 1. fill the First form > 2. receive a mail > 3. sign the papers 4. Attend a Basic LIR training: Most of your questions if not all will be answered there... http://www.ripe.net/training best regards, Wolfgang -- Wolfgang Tremmel e-mail: wolfgang.tremmel at de-cix.net DE-CIX Management GmbH Phone: +49 69 1730 902-26 Lindleystr. 12, 60314 Frankfurt Mobile: +49 171 8600 816 Geschaeftsfuehrer Harald A. Summa Fax: +49 69 4056 2716 Registergericht AG Koeln, HRB 51135 http://www.de-cix.net Zentrale: Lichtstr. 43i, 50825 Koeln From Robert.Guentensperger at swisscom.com Wed Oct 20 09:44:49 2010 From: Robert.Guentensperger at swisscom.com (Robert.Guentensperger at swisscom.com) Date: Wed, 20 Oct 2010 09:44:49 +0200 Subject: [ncc-services-wg] Optimize to be new LIR progress In-Reply-To: <4CBE9BBE.8010700@de-cix.net> References: <4CBE9BBE.8010700@de-cix.net> Message-ID: <831E932DD83E504DB4A4BA37B47C102C722D25FAAB@SG1923Z.corproot.net> Hi Wolfgang That's a good hint. But keep in mind that trainings don't take place every week in your city/country. Some questions have to be answered before the next available training. Cheers, Robert Robert G?ntensperger Swisscom (Schweiz) AG Network Services Operation Binzring 17 8045 Z?rich www.swisscom.ch Postadresse: Postfach 8021 Z?rich -----Original Message----- From: ncc-services-wg-admin at ripe.net [mailto:ncc-services-wg-admin at ripe.net] On Behalf Of Wolfgang Tremmel Sent: Wednesday, October 20, 2010 9:35 AM To: ncc-services-wg at ripe.net Subject: Re: [ncc-services-wg] Optimize to be new LIR progress Hello, On 19.10.10 18:33, Shahin Gharghi wrote: > > 1. fill the First form > 2. receive a mail > 3. sign the papers 4. Attend a Basic LIR training: Most of your questions if not all will be answered there... http://www.ripe.net/training best regards, Wolfgang -- Wolfgang Tremmel e-mail: wolfgang.tremmel at de-cix.net DE-CIX Management GmbH Phone: +49 69 1730 902-26 Lindleystr. 12, 60314 Frankfurt Mobile: +49 171 8600 816 Geschaeftsfuehrer Harald A. Summa Fax: +49 69 4056 2716 Registergericht AG Koeln, HRB 51135 http://www.de-cix.net Zentrale: Lichtstr. 43i, 50825 Koeln From sergey at devnull.ru Wed Oct 20 11:25:35 2010 From: sergey at devnull.ru (Sergey Myasoedov) Date: Wed, 20 Oct 2010 11:25:35 +0200 Subject: [ncc-services-wg] personal data in the NCC Message-ID: <1431415051.20101020112535@devnull.ru> Hello, I would like to talk about personal data protection. After the audit process, NCC demands that we send them, together with the contract, the ID of person who signs the End User assignment contract (even if the contract is signed by a person on behalf of company). It seems strange: the CEO of company that wants IP resources signs the contract, probably stamps it and suddenly (!) RIPE NCC asks for the ID of CEO. We (LIR) have no choice on such operations - we should request ID or RIPE NCC will not assign resources for our customers. Even more, RIPE NCC requires scans of ID, and this action violates local laws in some countries (for example, CZ or RU). In Russia, personal data can be processed only after a special agreement (except some cases mentioned in the law), but we will send the ID images without any special agreements to the NCC. I tried to find some statements on data protection in the RIPE NCC or on any guarantee of confidentiality, but no such information found in the standard service agreement or any policy documents. On these grounds, I would like to initiate a change. RIPE NCC should have data protection procedures or RIPE NCC should not request personal IDs of third parties. -- Sergey From shahin at admins.ir Wed Oct 20 12:12:08 2010 From: shahin at admins.ir (Shahin Gharghi) Date: Wed, 20 Oct 2010 13:42:08 +0330 Subject: [ncc-services-wg] Re: Optimize to be new LIR progress (Shahin Gharghi) Message-ID: > Message: 5 > Date: Wed, 20 Oct 2010 11:25:35 +0200 > From: Sergey Myasoedov > To: ncc-services-wg at ripe.net > Subject: [ncc-services-wg] personal data in the NCC > > Hello, > > I would like to talk about personal data protection. After the audit proc= > ess, NCC demands > that we send them, together with the contract, the ID of person who signs= > the End User > assignment contract (even if the contract is signed by a person on behalf= > of company). > > It seems strange: the CEO of company that wants IP resources signs the co= > ntract, probably > stamps it and suddenly (!) RIPE NCC asks for the ID of CEO. We (LIR) have= > no choice on such > operations - we should request ID or RIPE NCC will not assign resources f= > or our customers. > > Even more, RIPE NCC requires scans of ID, and this action violates local = > laws in some > countries (for example, CZ or RU). In Russia, personal data can be proces= > sed only after a > special agreement (except some cases mentioned in the law), but we will s= > end the ID images > without any special agreements to the NCC. > > I tried to find some statements on data protection in the RIPE NCC or on = > any guarantee of > confidentiality, but no such information found in the standard service ag= > reement or any > policy documents. > > On these grounds, I would like to initiate a change. RIPE NCC should have= > data protection > procedures or RIPE NCC should not request personal IDs of third parties. > > > -- > Sergey > > > > > End of ncc-services-wg Digest > Hello I don't said to put all of private information of all LIRs on the web. I just mean there is some LIR maintainer in all cities that knows RIPE rules well. Some of them are free and they can answer the newbies questions in local language and condition. Thank you -- Best Regards. Shahin Gharghi www.PersianAdmins.com www.Gharghi.ir Cell : +98 917 3009177 -------------- next part -------------- An HTML attachment was scrubbed... URL: From jim at rfc1035.com Wed Oct 20 12:30:59 2010 From: jim at rfc1035.com (Jim Reid) Date: Wed, 20 Oct 2010 11:30:59 +0100 Subject: [ncc-services-wg] personal data in the NCC In-Reply-To: <1431415051.20101020112535@devnull.ru> References: <1431415051.20101020112535@devnull.ru> Message-ID: On 20 Oct 2010, at 10:25, Sergey Myasoedov wrote: > RIPE NCC should have data protection procedures It does. This is compulsory for any organisation in the EU that holds Personal Data. The NCC is legally obliged to follow the EU Directives on Privacy and Data Protection (primarily 95/46/EC but also parts of 97/66/EC and 2002/58/EC) and how these are enacted in Dutch law. Although I'm not a lawyer, I expect that the EU and Dutch legislation in this area will be compatible with Russian data protection law. > I tried to find some statements on data protection in the RIPE NCC > or on any guarantee of confidentiality, but no such information > found in the standard service agreement or any policy documents. Strange. It should be public somewhere. BTW, in general it's usually more of a problem exporting Personal Data from the EU than it is to send that Personal Data there From dburk at burkov.aha.ru Wed Oct 20 11:43:26 2010 From: dburk at burkov.aha.ru (Dmitry Burkov) Date: Wed, 20 Oct 2010 13:43:26 +0400 Subject: [ncc-services-wg] personal data in the NCC In-Reply-To: <1431415051.20101020112535@devnull.ru> References: <1431415051.20101020112535@devnull.ru> Message-ID: <4CBEB9BE.4010303@burkov.aha.ru> Hello, Sergey is right. But it seems that solution is not so simple as proposed and I expect that RIPE NCC will investigate the problem in deep. Dmitry On 20.10.2010 13:25, Sergey Myasoedov wrote: > Hello, > > I would like to talk about personal data protection. After the audit process, NCC demands > that we send them, together with the contract, the ID of person who signs the End User > assignment contract (even if the contract is signed by a person on behalf of company). > > It seems strange: the CEO of company that wants IP resources signs the contract, probably > stamps it and suddenly (!) RIPE NCC asks for the ID of CEO. We (LIR) have no choice on such > operations - we should request ID or RIPE NCC will not assign resources for our customers. > > Even more, RIPE NCC requires scans of ID, and this action violates local laws in some > countries (for example, CZ or RU). In Russia, personal data can be processed only after a > special agreement (except some cases mentioned in the law), but we will send the ID images > without any special agreements to the NCC. > > I tried to find some statements on data protection in the RIPE NCC or on any guarantee of > confidentiality, but no such information found in the standard service agreement or any > policy documents. > > On these grounds, I would like to initiate a change. RIPE NCC should have data protection > procedures or RIPE NCC should not request personal IDs of third parties. > > > -- > Sergey > From randy at psg.com Wed Oct 20 13:11:55 2010 From: randy at psg.com (Randy Bush) Date: Wed, 20 Oct 2010 04:11:55 -0700 Subject: [ncc-services-wg] personal data in the NCC In-Reply-To: <1431415051.20101020112535@devnull.ru> References: <1431415051.20101020112535@devnull.ru> Message-ID: does ncc provide personal data of ncc ceo for their side of the contract? randy From sergey at devnull.ru Wed Oct 20 13:20:36 2010 From: sergey at devnull.ru (Sergey Myasoedov) Date: Wed, 20 Oct 2010 13:20:36 +0200 Subject: [ncc-services-wg] personal data in the NCC In-Reply-To: References: <1431415051.20101020112535@devnull.ru> Message-ID: <142589405.20101020132036@devnull.ru> Randy, no, they didn't provide IDs when I asked. I received the following answer from the NCC (smile!): > Our legal team has informed me that as a transparent and open company all our employees > pictures and names are available on our public webpages so it is clear all of our > contacts are known to the public. Next time I'll use such words when visiting the notary. Wednesday, October 20, 2010, 1:11:55 PM, you wrote: RB> does ncc provide personal data of ncc ceo for their side of the RB> contract? RB> randy -- Sergey From dburk at burkov.aha.ru Wed Oct 20 13:23:34 2010 From: dburk at burkov.aha.ru (Dmitry Burkov) Date: Wed, 20 Oct 2010 15:23:34 +0400 Subject: [ncc-services-wg] personal data in the NCC In-Reply-To: References: <1431415051.20101020112535@devnull.ru> Message-ID: <4CBED136.7000602@burkov.aha.ru> Jim, the issue is not to comply EC laws, but Russian law. I am not a lawyer, but know that exactly now the comparable issues were raised by registrars regarding their relationships with registries and ICANN. Dima On 20.10.2010 14:30, Jim Reid wrote: > On 20 Oct 2010, at 10:25, Sergey Myasoedov wrote: > >> RIPE NCC should have data protection procedures > > It does. This is compulsory for any organisation in the EU that holds > Personal Data. The NCC is legally obliged to follow the EU Directives > on Privacy and Data Protection (primarily 95/46/EC but also parts of > 97/66/EC and 2002/58/EC) and how these are enacted in Dutch law. > Although I'm not a lawyer, I expect that the EU and Dutch legislation > in this area will be compatible with Russian data protection law. > >> I tried to find some statements on data protection in the RIPE NCC or >> on any guarantee of confidentiality, but no such information found in >> the standard service agreement or any policy documents. > > Strange. It should be public somewhere. > > BTW, in general it's usually more of a problem exporting Personal Data > from the EU than it is to send that Personal Data there > From sergey at devnull.ru Wed Oct 20 13:31:02 2010 From: sergey at devnull.ru (Sergey Myasoedov) Date: Wed, 20 Oct 2010 13:31:02 +0200 Subject: [ncc-services-wg] personal data in the NCC In-Reply-To: <4CBED136.7000602@burkov.aha.ru> References: <1431415051.20101020112535@devnull.ru> <4CBED136.7000602@burkov.aha.ru> Message-ID: <465243455.20101020133102@devnull.ru> Dima, in my opinion providing personal IDs of european citizens (CEOs) violates EC/EU law too. But as a member of EB you can ask the NCC to investigate the problem. As you are informed on russian specific of data protection, did you already asked the NCC? When? Wednesday, October 20, 2010, 1:23:34 PM, you wrote: DB> Jim, DB> the issue is not to comply EC laws, but Russian law. DB> I am not a lawyer, but know that exactly now the comparable issues were DB> raised by registrars regarding their relationships with registries and DB> ICANN. >>> RIPE NCC should have data protection procedures >> >> It does. This is compulsory for any organisation in the EU that holds >> Personal Data. The NCC is legally obliged to follow the EU Directives >> on Privacy and Data Protection (primarily 95/46/EC but also parts of >> 97/66/EC and 2002/58/EC) and how these are enacted in Dutch law. >> Although I'm not a lawyer, I expect that the EU and Dutch legislation >> in this area will be compatible with Russian data protection law. >> >>> I tried to find some statements on data protection in the RIPE NCC or >>> on any guarantee of confidentiality, but no such information found in >>> the standard service agreement or any policy documents. >> >> Strange. It should be public somewhere. >> >> BTW, in general it's usually more of a problem exporting Personal Data >> from the EU than it is to send that Personal Data there >> -- Sergey From randy at psg.com Wed Oct 20 13:31:16 2010 From: randy at psg.com (Randy Bush) Date: Wed, 20 Oct 2010 04:31:16 -0700 Subject: [ncc-services-wg] personal data in the NCC In-Reply-To: <142589405.20101020132036@devnull.ru> References: <1431415051.20101020112535@devnull.ru> <142589405.20101020132036@devnull.ru> Message-ID: > no, they didn't provide IDs when I asked. I received the following > answer from the NCC (smile!): > >> Our legal team has informed me that as a transparent and open company >> all our employees pictures and names are available on our public >> webpages so it is clear all of our contacts are known to the public. no problem. when ncc asks for your ceo's id, point them to your web site randy From thor.kottelin at turvasana.com Wed Oct 20 13:24:12 2010 From: thor.kottelin at turvasana.com (Thor Kottelin) Date: Wed, 20 Oct 2010 14:24:12 +0300 Subject: [ncc-services-wg] personal data in the NCC In-Reply-To: References: <1431415051.20101020112535@devnull.ru> Message-ID: > -----Original Message----- > From: ncc-services-wg-admin at ripe.net [mailto:ncc-services-wg- > admin at ripe.net] On Behalf Of Jim Reid > Sent: Wednesday, October 20, 2010 1:31 PM > To: Sergey Myasoedov > Cc: ncc-services-wg at ripe.net > On 20 Oct 2010, at 10:25, Sergey Myasoedov wrote: > > I tried to find some statements on data protection in the RIPE > NCC > > or on any guarantee of confidentiality, but no such information > > found in the standard service agreement or any policy documents. > > Strange. It should be public somewhere. Wouldn't that be ? -- Thor Kottelin http://www.anta.net/ From jim at rfc1035.com Wed Oct 20 13:50:02 2010 From: jim at rfc1035.com (Jim Reid) Date: Wed, 20 Oct 2010 12:50:02 +0100 Subject: [ncc-services-wg] personal data in the NCC In-Reply-To: <465243455.20101020133102@devnull.ru> References: <1431415051.20101020112535@devnull.ru> <4CBED136.7000602@burkov.aha.ru> <465243455.20101020133102@devnull.ru> Message-ID: On 20 Oct 2010, at 12:31, Sergey Myasoedov wrote: > in my opinion providing personal IDs of european citizens (CEOs) > violates EC/EU law too. I think you may be mistaken. But since I'm not a lawyer, I don't know what I'm talking about either. :-) I seriously doubt that the NCC would have a policy that violated EU or Dutch law. Or that all the NCC's membership, board and management would have failed to spot that if it was the case. BTW, I complained to the UK authorities when the electricity company's call centre demanded my date of birth before they'd talk to me about a billing problem. They wanted that info for authentication. The Information Commissioner's Office dismissed my complaint that this was an unreasonable and disproportionate use of my Personal Data by the power company. So their behaviour was legal even though in my non- expert opinion they had violated the third principle of the EU directive. And yes, I clearly have far too much spare time on my hands if I spend it on things like formal complaints to the ICO. :-) From jhma at mcvax.org Wed Oct 20 13:17:23 2010 From: jhma at mcvax.org (James Aldridge) Date: Wed, 20 Oct 2010 13:17:23 +0200 Subject: [ncc-services-wg] personal data in the NCC In-Reply-To: <1431415051.20101020112535@devnull.ru> References: <1431415051.20101020112535@devnull.ru> Message-ID: <4CBECFC3.6090103@mcvax.org> On 20/10/2010 11:25, Sergey Myasoedov wrote: > I would like to talk about personal data protection. After the audit process, NCC demands > that we send them, together with the contract, the ID of person who signs the End User > assignment contract (even if the contract is signed by a person on behalf of company). > > It seems strange: the CEO of company that wants IP resources signs the contract, probably > stamps it and suddenly (!) RIPE NCC asks for the ID of CEO. We (LIR) have no choice on such > operations - we should request ID or RIPE NCC will not assign resources for our customers. > > Even more, RIPE NCC requires scans of ID, and this action violates local laws in some > countries (for example, CZ or RU). In Russia, personal data can be processed only after a > special agreement (except some cases mentioned in the law), but we will send the ID images > without any special agreements to the NCC. > > I tried to find some statements on data protection in the RIPE NCC or on any guarantee of > confidentiality, but no such information found in the standard service agreement or any > policy documents. You're probably looking for http://www.ripe.net/legal/privacy-statement.html Regards, James From dburk at burkov.aha.ru Wed Oct 20 13:55:18 2010 From: dburk at burkov.aha.ru (Dmitry Burkov) Date: Wed, 20 Oct 2010 15:55:18 +0400 Subject: [ncc-services-wg] personal data in the NCC In-Reply-To: References: <1431415051.20101020112535@devnull.ru> <4CBED136.7000602@burkov.aha.ru> <465243455.20101020133102@devnull.ru> Message-ID: <4CBED8A6.10900@burkov.aha.ru> Jim, I don't know - but as I remember one of the basic principle of this law regarding transborder personal data transfer- such data can be transfered only to countries which comply some requirements (as to have comparable laws and so on). We simply should get legal answer before to discuss. Dima On 20.10.2010 15:50, Jim Reid wrote: > On 20 Oct 2010, at 12:31, Sergey Myasoedov wrote: > >> in my opinion providing personal IDs of european citizens (CEOs) >> violates EC/EU law too. > > I think you may be mistaken. But since I'm not a lawyer, I don't know > what I'm talking about either. :-) I seriously doubt that the NCC > would have a policy that violated EU or Dutch law. Or that all the > NCC's membership, board and management would have failed to spot that > if it was the case. > > BTW, I complained to the UK authorities when the electricity company's > call centre demanded my date of birth before they'd talk to me about a > billing problem. They wanted that info for authentication. The > Information Commissioner's Office dismissed my complaint that this was > an unreasonable and disproportionate use of my Personal Data by the > power company. So their behaviour was legal even though in my > non-expert opinion they had violated the third principle of the EU > directive. > > And yes, I clearly have far too much spare time on my hands if I spend > it on things like formal complaints to the ICO. :-) > From dburk at burkov.aha.ru Wed Oct 20 13:57:48 2010 From: dburk at burkov.aha.ru (Dmitry Burkov) Date: Wed, 20 Oct 2010 15:57:48 +0400 Subject: [ncc-services-wg] personal data in the NCC In-Reply-To: References: <1431415051.20101020112535@devnull.ru> <4CBED136.7000602@burkov.aha.ru> <465243455.20101020133102@devnull.ru> Message-ID: <4CBED93C.4070502@burkov.aha.ru> Jim, in general - you know the situation with Data Protection laws deployment around the world (as minimum, partly). There are still a lot of undresolved issues as even perfect law sometimes tell nothing about how deploy in real life. Dima On 20.10.2010 15:50, Jim Reid wrote: > On 20 Oct 2010, at 12:31, Sergey Myasoedov wrote: > >> in my opinion providing personal IDs of european citizens (CEOs) >> violates EC/EU law too. > > I think you may be mistaken. But since I'm not a lawyer, I don't know > what I'm talking about either. :-) I seriously doubt that the NCC > would have a policy that violated EU or Dutch law. Or that all the > NCC's membership, board and management would have failed to spot that > if it was the case. > > BTW, I complained to the UK authorities when the electricity company's > call centre demanded my date of birth before they'd talk to me about a > billing problem. They wanted that info for authentication. The > Information Commissioner's Office dismissed my complaint that this was > an unreasonable and disproportionate use of my Personal Data by the > power company. So their behaviour was legal even though in my > non-expert opinion they had violated the third principle of the EU > directive. > > And yes, I clearly have far too much spare time on my hands if I spend > it on things like formal complaints to the ICO. :-) > From jim at rfc1035.com Wed Oct 20 14:01:18 2010 From: jim at rfc1035.com (Jim Reid) Date: Wed, 20 Oct 2010 13:01:18 +0100 Subject: [ncc-services-wg] personal data in the NCC In-Reply-To: <4CBED8A6.10900@burkov.aha.ru> References: <1431415051.20101020112535@devnull.ru> <4CBED136.7000602@burkov.aha.ru> <465243455.20101020133102@devnull.ru> <4CBED8A6.10900@burkov.aha.ru> Message-ID: <411BB54B-AFD3-43C2-8A6E-96370DD42A69@rfc1035.com> On 20 Oct 2010, at 12:55, Dmitry Burkov wrote: > I don't know - but as I remember one of the basic principle of this > law regarding transborder personal data transfer- > such data can be transfered only to countries which comply some > requirements > (as to have comparable laws and so on). That's right. The problems tend to be sending data from the EU because its Data Protection framework is stronger than most other parts of the world. It would be good to find out why it's hard to send Personal Data to the EU and what needs to be done about that. > We simply should get legal answer before to discuss. Yes. None of us are lawyers. From ula at ripn.net Wed Oct 20 14:57:08 2010 From: ula at ripn.net (Larisa Yurkina) Date: Wed, 20 Oct 2010 16:57:08 +0400 Subject: [ncc-services-wg] personal data in the NCC In-Reply-To: <411BB54B-AFD3-43C2-8A6E-96370DD42A69@rfc1035.com> References: <1431415051.20101020112535@devnull.ru> <4CBED136.7000602@burkov.aha.ru> <465243455.20101020133102@devnull.ru> <4CBED8A6.10900@burkov.aha.ru> <411BB54B-AFD3-43C2-8A6E-96370DD42A69@rfc1035.com> Message-ID: <4CBEE722.6040805@ripn.net> Jim Reid wrote, 20.10.2010 16:01: > On 20 Oct 2010, at 12:55, Dmitry Burkov wrote: > >> I don't know - but as I remember one of the basic principle of this >> law regarding transborder personal data transfer- >> such data can be transfered only to countries which comply some >> requirements >> (as to have comparable laws and so on). > > That's right. The problems tend to be sending data from the EU because > its Data Protection framework is stronger than most other parts of the > world. It would be good to find out why it's hard to send Personal > Data to the EU and what needs to be done about that. > >> We simply should get legal answer before to discuss. > > Yes. None of us are lawyers. > Hi, I think it's a question of the RIPE NCC procedures rather than Data protection itself. It's not clear why Personal ID was requested. According to ripe-418 RIPE NCC Standard Terms and Conditions 4.1 The Contributor may be a natural person or a legal entity. The same goes to End User contracts. Natural person should provide Personal ID (copy of passport), legal entity should provide Registration certificate to prove legality. With respect, -- Larisa Yurkina RIPN tel: +7(495)737-0604 fax: +7(499)196-4984 From andrew at ripe.net Wed Oct 20 15:11:15 2010 From: andrew at ripe.net (Andrew de la Haye) Date: Wed, 20 Oct 2010 15:11:15 +0200 Subject: [ncc-services-wg] personal data in the NCC In-Reply-To: <1431415051.20101020112535@devnull.ru> References: <1431415051.20101020112535@devnull.ru> Message-ID: <57F02740-2A1F-4005-A87E-46641C198373@ripe.net> Dear Sergey, Thank you for your email. All personal data obtained by the RIPE NCC is handled in accordance with Dutch law and European Union data protection legislation, as required for an organisation operating in the Netherlands. The RIPE NCC Privacy Statement is publicly available on the RIPE website, and describes the situations in which personal data may be requested and the RIPE NCC's responsibilities when handling such data: http://www.ripe.net/legal/privacy-statement.html Please note the following sections: - "Except as described herein or when under a statutory duty to do so, the RIPE NCC does not share or transfer any personal data." [Section 2.1] - "The RIPE NCC maintains a high level of physical security and protection for all its computer and network facilities, and, in particular, for those in which personal information may be stored." [Section 3] As a registry, the RIPE NCC has a mandate to ensure the accuracy of our registration data. Verifying the identity of LIR representatives is directly relevant to this mandate. I hope this clarifies the RIPE NCC's position in relation to this matter. Best regards, Andrew de la Haye Chief Operations Officer, RIPE NCC On Oct 20, 2010, at 11:25 AM, Sergey Myasoedov wrote: > Hello, > > I would like to talk about personal data protection. After the audit process, NCC demands > that we send them, together with the contract, the ID of person who signs the End User > assignment contract (even if the contract is signed by a person on behalf of company). > > It seems strange: the CEO of company that wants IP resources signs the contract, probably > stamps it and suddenly (!) RIPE NCC asks for the ID of CEO. We (LIR) have no choice on such > operations - we should request ID or RIPE NCC will not assign resources for our customers. > > Even more, RIPE NCC requires scans of ID, and this action violates local laws in some > countries (for example, CZ or RU). In Russia, personal data can be processed only after a > special agreement (except some cases mentioned in the law), but we will send the ID images > without any special agreements to the NCC. > > I tried to find some statements on data protection in the RIPE NCC or on any guarantee of > confidentiality, but no such information found in the standard service agreement or any > policy documents. > > On these grounds, I would like to initiate a change. RIPE NCC should have data protection > procedures or RIPE NCC should not request personal IDs of third parties. > > > -- > Sergey > -------------- next part -------------- An HTML attachment was scrubbed... URL: From davidm at futureinquestion.net Wed Oct 20 17:03:49 2010 From: davidm at futureinquestion.net (David Monosov) Date: Wed, 20 Oct 2010 17:03:49 +0200 Subject: [ncc-services-wg] personal data in the NCC In-Reply-To: <57F02740-2A1F-4005-A87E-46641C198373@ripe.net> References: <1431415051.20101020112535@devnull.ru> <57F02740-2A1F-4005-A87E-46641C198373@ripe.net> Message-ID: <4CBF04D5.3@futureinquestion.net> Dear Andrew, In your e-mail, you state: > > As a registry, the RIPE NCC has a mandate to ensure the accuracy of our > registration data. Verifying the identity of LIR representatives is directly > relevant to this mandate. > It is however my understanding that the question of Mr. Myasoedov relates to PI resources assigned to end users through the LIR in which he is a representative, where the end user is an organization, and the requested personal identification documents were required for the representatives of the end user organization, rather than the LIR itself. The intention of the RIPE NCC to not only collect personal identification documents from representatives of organizational end users, but to externalize this burden to individual LIRs which process PI requests on behalf of end users was not apparent from proposal 2007-01, nor from subsequent operational discussions on its implementation. Instead, it was understood, and has previously been the operational reality, that organizational users will submit a certificate of incorporation or similar document attesting the organization's existence under the laws of their country of origin, and a contract which meets the requirements outlined in policy proposal 2007-01. Could you please elaborate on the circumstances which required this deviation from the standard operational procedure and the situations in which this new condition will be invoked? Such unannounced changes can be very disruptive to an established administrative workflow between a LIR and its end users if imposed suddenly, and while I am certain that the RIPE NCC is acting with the goal of improving accountability in resource assignment, a balance must be maintained between the mandate the community has granted the RIPE NCC with the introduction of policy 2007-01, and its ability to spontaneously introduce new administrative conditions to resource assignment. -- Respectfully yours, David Monosov On 10/20/2010 03:11 PM, Andrew de la Haye wrote: > Dear Sergey, > > Thank you for your email. All personal data obtained by the RIPE NCC is handled > in accordance with Dutch law and European Union data protection legislation, as > required for an organisation operating in the Netherlands. > > The RIPE NCC Privacy Statement is publicly available on the RIPE website, and > describes the situations in which personal data may be requested and the RIPE > NCC's responsibilities when handling such data: > http://www.ripe.net/legal/privacy-statement.html > > Please note the following sections: > - "Except as described herein or when under a statutory duty to do so, the RIPE > NCC does not share or transfer any personal data." [Section 2.1] > - "The RIPE NCC maintains a high level of physical security and protection for > all its computer and network facilities, and, in particular, for those in which > personal information may be stored." [Section 3] > > As a registry, the RIPE NCC has a mandate to ensure the accuracy of our > registration data. Verifying the identity of LIR representatives is directly > relevant to this mandate. > > I hope this clarifies the RIPE NCC's position in relation to this matter. > > Best regards, > > Andrew de la Haye > Chief Operations Officer, RIPE NCC > > > > > > On Oct 20, 2010, at 11:25 AM, Sergey Myasoedov wrote: > >> Hello, >> >> I would like to talk about personal data protection. After the audit process, >> NCC demands >> that we send them, together with the contract, the ID of person who signs the >> End User >> assignment contract (even if the contract is signed by a person on behalf of >> company). >> >> It seems strange: the CEO of company that wants IP resources signs the >> contract, probably >> stamps it and suddenly (!) RIPE NCC asks for the ID of CEO. We (LIR) have no >> choice on such >> operations - we should request ID or RIPE NCC will not assign resources for >> our customers. >> >> Even more, RIPE NCC requires scans of ID, and this action violates local laws >> in some >> countries (for example, CZ or RU). In Russia, personal data can be processed >> only after a >> special agreement (except some cases mentioned in the law), but we will send >> the ID images >> without any special agreements to the NCC. >> >> I tried to find some statements on data protection in the RIPE NCC or on any >> guarantee of >> confidentiality, but no such information found in the standard service >> agreement or any >> policy documents. >> >> On these grounds, I would like to initiate a change. RIPE NCC should have data >> protection >> procedures or RIPE NCC should not request personal IDs of third parties. >> >> >> -- >> Sergey >> > From dr at cluenet.de Wed Oct 20 21:29:18 2010 From: dr at cluenet.de (Daniel Roesen) Date: Wed, 20 Oct 2010 21:29:18 +0200 Subject: [ncc-services-wg] Re: personal data in the NCC In-Reply-To: <4CBEE722.6040805@ripn.net> References: <1431415051.20101020112535@devnull.ru> <4CBED136.7000602@burkov.aha.ru> <465243455.20101020133102@devnull.ru> <4CBED8A6.10900@burkov.aha.ru> <411BB54B-AFD3-43C2-8A6E-96370DD42A69@rfc1035.com> <4CBEE722.6040805@ripn.net> Message-ID: <20101020192918.GA9453@srv03.cluenet.de> On Wed, Oct 20, 2010 at 04:57:08PM +0400, Larisa Yurkina wrote: > It's not clear why Personal ID was requested. > According to ripe-418 RIPE NCC Standard Terms and Conditions > 4.1 The Contributor may be a natural person or a legal entity. > The same goes to End User contracts. > Natural person should provide Personal ID (copy of passport), > legal entity should provide Registration certificate to prove legality. http://www.ripe.net/ripe/docs/ripe-462.html says: "If your business has not yet been incorporated and has not been registered in the Commercial Trade Register, please include a photocopy of the requester's valid identity card." (that the requester might just be a natural person or a noncommercial organization is obviously beyond the expectation) I will definately NOT send a plain copy of my passport around. Nowhere else is such a drastic measure ever required, except buying ammunition and firearms via mailorder. Asking for that to get a few numbers assigned is plain over the top. [and RIPE NCC wouldn't be able to verify the validity of that ID copy anyway, so this is bogus in the first place] Best regards, Daniel -- CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet -- PGP: 0xA85C8AA0 From sergey at devnull.ru Wed Oct 20 21:53:40 2010 From: sergey at devnull.ru (Sergey Myasoedov) Date: Wed, 20 Oct 2010 21:53:40 +0200 Subject: [ncc-services-wg] personal data in the NCC In-Reply-To: <20101020192918.GA9453@srv03.cluenet.de> References: <1431415051.20101020112535@devnull.ru> <4CBED136.7000602@burkov.aha.ru> <465243455.20101020133102@devnull.ru> <4CBED8A6.10900@burkov.aha.ru> <411BB54B-AFD3-43C2-8A6E-96370DD42A69@rfc1035.com> <4CBEE722.6040805@ripn.net> <20101020192918.GA9453@srv03.cluenet.de> Message-ID: <627989.20101020215340@devnull.ru> Daniel, thanks for the feedback. Unfortunately, registration services department don't give me a chance: my customers should provide the IDs or they will not receive the IP resources. Of course, most of my customers are registered in the Trade Register, but RIPE NCC requires the photocopy of CEO's ID who is signing the contract. Great, CEOs of small companies will provide the IDs. But what will happens when I'll sign the contract with the goverment's IT department? Should I ask for the ID of prime-minister or deputy prime-minister? OK, not goverment, but the province. Should I ask for the personal ID of the deputy governor? (this is a public person and the province has a website) I understand that the problem is complicated, but I would like to raise up both (local and global) problems together. Wednesday, October 20, 2010, 9:29:18 PM, you wrote: >> It's not clear why Personal ID was requested. >> According to ripe-418 RIPE NCC Standard Terms and Conditions >> 4.1 The Contributor may be a natural person or a legal entity. >> The same goes to End User contracts. >> Natural person should provide Personal ID (copy of passport), >> legal entity should provide Registration certificate to prove legality. DR> http://www.ripe.net/ripe/docs/ripe-462.html says: DR> "If your business has not yet been incorporated and has not been DR> registered in the Commercial Trade Register, please include a photocopy DR> of the requester's valid identity card." DR> (that the requester might just be a natural person or a noncommercial DR> organization is obviously beyond the expectation) DR> I will definately NOT send a plain copy of my passport around. Nowhere DR> else is such a drastic measure ever required, except buying ammunition DR> and firearms via mailorder. Asking for that to get a few numbers DR> assigned is plain over the top. DR> [and RIPE NCC wouldn't be able to verify the validity of that ID copy DR> anyway, so this is bogus in the first place] -- Sergey From rumy at ripe.net Thu Oct 21 11:29:19 2010 From: rumy at ripe.net (Rumy Kanis) Date: Thu, 21 Oct 2010 11:29:19 +0200 Subject: [ncc-services-wg] Optimize to be new LIR progress In-Reply-To: <09D4E375-6570-443E-9401-EC6A2018630E@ripe.net> References: <4CBE9BBE.8010700@de-cix.net> <831E932DD83E504DB4A4BA37B47C102C722D25FAAB@SG1923Z.corproot.net> <09D4E375-6570-443E-9401-EC6A2018630E@ripe.net> Message-ID: <5A902BBE-F246-41FC-80EF-65965490E556@ripe.net> Hello again, I just found this on our website: http://www.ripe.net/membership/new-members/step-by-step.html Is this useful for you? thanks, Rumy On Oct 21, 2010, at 11:19 AM, Rumy Kanis wrote: > Hello, > > I agree that the best way of getting up to speed fast is to attend > an LIR Training Course. We travel all around the service region and > deliver an LIR course almost every week. However, I do think it's > useful to have an easy to access checklist (with links) for new LIRs > who can't make it to a course. That's a great suggestion, Shahin! I > will see if this is something we can publish on short notice. > > In the meantime, you can always have a look at our training > material, there is a lot of information there, including a checklist > in the LIR Handbook (although not as elaborate as suggested by > Shahin): > http://www.ripe.net/training/material.html#LIR > > As I said, I will see if we can publish something on short notice. > > As a side-note, we will be in Iran for an LIR and an IPv6 course on > the 29th and 30st of November. These courses are free for our > members. There are still some places left so please feel free to > register here: > https://lirportal.ripe.net/lirportal/training/course-list.html > (if the course is full, please send a mail to training at ripe.net and > we can see if we can still fit you in) > > Kind regards and thanks for the suggestions, > Rumy > > > --- > Rumy Kanis > Training Services Manager > RIPE NCC > > On Oct 20, 2010, at 9:44 AM, > wrote: > >> Hi Wolfgang >> >> That's a good hint. >> But keep in mind that trainings don't take place every week in your >> city/country. >> Some questions have to be answered before the next available >> training. >> >> Cheers, >> Robert >> >> Robert G?ntensperger >> Swisscom (Schweiz) AG >> Network Services Operation >> Binzring 17 >> 8045 Z?rich >> www.swisscom.ch >> >> Postadresse: >> Postfach >> 8021 Z?rich >> >> >> -----Original Message----- >> From: ncc-services-wg-admin at ripe.net [mailto:ncc-services-wg-admin at ripe.net >> ] On Behalf Of Wolfgang Tremmel >> Sent: Wednesday, October 20, 2010 9:35 AM >> To: ncc-services-wg at ripe.net >> Subject: Re: [ncc-services-wg] Optimize to be new LIR progress >> >> Hello, >> >> On 19.10.10 18:33, Shahin Gharghi wrote: >>> >>> 1. fill the First form >>> 2. receive a mail >>> 3. sign the papers >> >> 4. Attend a Basic LIR training: Most of your questions if not all >> will be answered there... >> >> http://www.ripe.net/training >> >> best regards, >> Wolfgang >> >> -- >> Wolfgang Tremmel e-mail: wolfgang.tremmel at de-cix.net >> DE-CIX Management GmbH Phone: +49 69 1730 902-26 >> Lindleystr. 12, 60314 Frankfurt Mobile: +49 171 8600 816 >> Geschaeftsfuehrer Harald A. Summa Fax: +49 69 4056 2716 >> Registergericht AG Koeln, HRB 51135 http://www.de-cix.net >> Zentrale: Lichtstr. 43i, 50825 Koeln >> > From rumy at ripe.net Thu Oct 21 11:19:21 2010 From: rumy at ripe.net (Rumy Kanis) Date: Thu, 21 Oct 2010 11:19:21 +0200 Subject: [ncc-services-wg] Optimize to be new LIR progress In-Reply-To: <831E932DD83E504DB4A4BA37B47C102C722D25FAAB@SG1923Z.corproot.net> References: <4CBE9BBE.8010700@de-cix.net> <831E932DD83E504DB4A4BA37B47C102C722D25FAAB@SG1923Z.corproot.net> Message-ID: <09D4E375-6570-443E-9401-EC6A2018630E@ripe.net> Hello, I agree that the best way of getting up to speed fast is to attend an LIR Training Course. We travel all around the service region and deliver an LIR course almost every week. However, I do think it's useful to have an easy to access checklist (with links) for new LIRs who can't make it to a course. That's a great suggestion, Shahin! I will see if this is something we can publish on short notice. In the meantime, you can always have a look at our training material, there is a lot of information there, including a checklist in the LIR Handbook (although not as elaborate as suggested by Shahin): http://www.ripe.net/training/material.html#LIR As I said, I will see if we can publish something on short notice. As a side-note, we will be in Iran for an LIR and an IPv6 course on the 29th and 30st of November. These courses are free for our members. There are still some places left so please feel free to register here: https://lirportal.ripe.net/lirportal/training/course-list.html (if the course is full, please send a mail to training at ripe.net and we can see if we can still fit you in) Kind regards and thanks for the suggestions, Rumy --- Rumy Kanis Training Services Manager RIPE NCC On Oct 20, 2010, at 9:44 AM, wrote: > Hi Wolfgang > > That's a good hint. > But keep in mind that trainings don't take place every week in your > city/country. > Some questions have to be answered before the next available training. > > Cheers, > Robert > > Robert G?ntensperger > Swisscom (Schweiz) AG > Network Services Operation > Binzring 17 > 8045 Z?rich > www.swisscom.ch > > Postadresse: > Postfach > 8021 Z?rich > > > -----Original Message----- > From: ncc-services-wg-admin at ripe.net [mailto:ncc-services-wg-admin at ripe.net > ] On Behalf Of Wolfgang Tremmel > Sent: Wednesday, October 20, 2010 9:35 AM > To: ncc-services-wg at ripe.net > Subject: Re: [ncc-services-wg] Optimize to be new LIR progress > > Hello, > > On 19.10.10 18:33, Shahin Gharghi wrote: >> >> 1. fill the First form >> 2. receive a mail >> 3. sign the papers > > 4. Attend a Basic LIR training: Most of your questions if not all > will be answered there... > > http://www.ripe.net/training > > best regards, > Wolfgang > > -- > Wolfgang Tremmel e-mail: wolfgang.tremmel at de-cix.net > DE-CIX Management GmbH Phone: +49 69 1730 902-26 > Lindleystr. 12, 60314 Frankfurt Mobile: +49 171 8600 816 > Geschaeftsfuehrer Harald A. Summa Fax: +49 69 4056 2716 > Registergericht AG Koeln, HRB 51135 http://www.de-cix.net > Zentrale: Lichtstr. 43i, 50825 Koeln > From jim at rfc1035.com Thu Oct 21 14:49:46 2010 From: jim at rfc1035.com (Jim Reid) Date: Thu, 21 Oct 2010 13:49:46 +0100 Subject: [ncc-services-wg] Re: personal data in the NCC In-Reply-To: <20101020192918.GA9453@srv03.cluenet.de> References: <1431415051.20101020112535@devnull.ru> <4CBED136.7000602@burkov.aha.ru> <465243455.20101020133102@devnull.ru> <4CBED8A6.10900@burkov.aha.ru> <411BB54B-AFD3-43C2-8A6E-96370DD42A69@rfc1035.com> <4CBEE722.6040805@ripn.net> <20101020192918.GA9453@srv03.cluenet.de> Message-ID: <72FCA079-40E2-4EE6-B99E-6C97EBD0B383@rfc1035.com> On 20 Oct 2010, at 20:29, Daniel Roesen wrote: > I will definately NOT send a plain copy of my passport around. +1. > Nowhere else is such a drastic measure ever required, except buying > ammunition > and firearms via mailorder. Clearly you've never tried buying beer at a US stadium.... Or opened a bank account recently. :-( > Asking for that to get a few numbers assigned is plain over the top. I sort of agree. But there are trade-offs here. If you don't like the current policy, you are welcome to suggest changes. The policy making machinery is open to everyone. > [and RIPE NCC wouldn't be able to verify the validity of that ID copy > anyway, so this is bogus in the first place] Not quite. Demanding passports may well be unreasonable. [I wonder how this policy can be applied to people who don't have passports or driving licences and live in enlightened countries that don't have ID cards?] However, the NCC does need to have some way of verifying the identity the other party to the agreement. A government-issued identity document is the easiest way to do that. Perhaps there could be (electronic?) alternatives: eg PGP signatures signed by someone already known to the NCC. From dr at cluenet.de Thu Oct 21 15:28:26 2010 From: dr at cluenet.de (Daniel Roesen) Date: Thu, 21 Oct 2010 15:28:26 +0200 Subject: [ncc-services-wg] Re: Re: personal data in the NCC In-Reply-To: <72FCA079-40E2-4EE6-B99E-6C97EBD0B383@rfc1035.com> References: <1431415051.20101020112535@devnull.ru> <4CBED136.7000602@burkov.aha.ru> <465243455.20101020133102@devnull.ru> <4CBED8A6.10900@burkov.aha.ru> <411BB54B-AFD3-43C2-8A6E-96370DD42A69@rfc1035.com> <4CBEE722.6040805@ripn.net> <20101020192918.GA9453@srv03.cluenet.de> <72FCA079-40E2-4EE6-B99E-6C97EBD0B383@rfc1035.com> Message-ID: <20101021132826.GA25451@srv03.cluenet.de> On Thu, Oct 21, 2010 at 01:49:46PM +0100, Jim Reid wrote: >> Nowhere else is such a drastic measure ever required, except buying >> ammunition and firearms via mailorder. > > Clearly you've never tried buying beer at a US stadium.... They keep copies of passports? > If you don't like the current policy, you are welcome to suggest changes. The policy does not require personal ID copies kept by the NCC. http://www.ripe.net/ripe/policies/proposals/2007-01.html In fact, it doesn't even require NCC to establish the identity of requestors via specific means. That's all NCC operational decision: "This proposal does not discuss any particular details of the contract that may be set up between the End User and the RIPE NCC. The RIPE NCC Executive Board will decide on the details of this contract." I'm not sure we're able to do something about it via the policy process if NCC's lawyers say "ask for and keep a copy of IDs" to "be safe". > However, the NCC does need to have some way of verifying the identity the > other party to the agreement. What level of certainty is required? There are other, less intrusive methods, e.g. snail mail token exchange or a dummy credit card charge (1 EUR). Did you ever have to provide passport copy to online shops where you buy goods? > A government-issued identity document is the easiest way to do that. Only if NCC would have any way of verifying the authenticity (people trying to game the system are able to use photoshop!), and still there is no need to keep a copy, unless Dutch Law requires to keep such copies for normal contracts businesses engage in - which I doubt. Best regards, Daniel -- CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet -- PGP: 0xA85C8AA0 From president at ukraine.su Thu Oct 21 15:29:22 2010 From: president at ukraine.su (Max Tulyev) Date: Thu, 21 Oct 2010 16:29:22 +0300 Subject: [ncc-services-wg] personal data in the NCC In-Reply-To: <1431415051.20101020112535@devnull.ru> References: <1431415051.20101020112535@devnull.ru> Message-ID: <4CC04032.7070708@ukraine.su> Hi All, I read the thread about it, and there is something to dig out for me. As for my experience in working with RIPE NCC hostmasters, they often request a lot of information they never can check. It is the MAC address lists, some kind of graphs, some papers issued by companies they never can reach, etc. All these data can be relatively easy obtained and processed. The other way is the personal data, and so important data like photo ID or passport. Request and handle that data is difficult and is a subject of a number of laws, such as The Law about Personal Data in Russia. By that law, the legal obtaining of that data is almost impossible for RIPE NCC, so it means RIPE can NEVER check the russian passport you send them. The question is: what EXACTLY do RIPE NCC staff do with the photo IDs we are sending them? Is it really important, or it is just for a extra bureaucracy? Also, let's imaging bad and good guys. The bad guy will make the "photo ID" in the Photoshop in a few minutes (and look up this message - RIPE NCC can't check it), but the good guy will experience a lot of problems. So why? 20.10.10 12:25, Sergey Myasoedov ???????(??): > Hello, > > I would like to talk about personal data protection. After the audit process, NCC demands > that we send them, together with the contract, the ID of person who signs the End User > assignment contract (even if the contract is signed by a person on behalf of company). > > It seems strange: the CEO of company that wants IP resources signs the contract, probably > stamps it and suddenly (!) RIPE NCC asks for the ID of CEO. We (LIR) have no choice on such > operations - we should request ID or RIPE NCC will not assign resources for our customers. > > Even more, RIPE NCC requires scans of ID, and this action violates local laws in some > countries (for example, CZ or RU). In Russia, personal data can be processed only after a > special agreement (except some cases mentioned in the law), but we will send the ID images > without any special agreements to the NCC. > > I tried to find some statements on data protection in the RIPE NCC or on any guarantee of > confidentiality, but no such information found in the standard service agreement or any > policy documents. > > On these grounds, I would like to initiate a change. RIPE NCC should have data protection > procedures or RIPE NCC should not request personal IDs of third parties. > > > -- > Sergey > -- WBR, Max Tulyev (MT6561-RIPE, 2:463/253 at FIDO) From jim at rfc1035.com Thu Oct 21 15:49:56 2010 From: jim at rfc1035.com (Jim Reid) Date: Thu, 21 Oct 2010 14:49:56 +0100 Subject: [ncc-services-wg] Re: Re: personal data in the NCC In-Reply-To: <20101021132826.GA25451@srv03.cluenet.de> References: <1431415051.20101020112535@devnull.ru> <4CBED136.7000602@burkov.aha.ru> <465243455.20101020133102@devnull.ru> <4CBED8A6.10900@burkov.aha.ru> <411BB54B-AFD3-43C2-8A6E-96370DD42A69@rfc1035.com> <4CBEE722.6040805@ripn.net> <20101020192918.GA9453@srv03.cluenet.de> <72FCA079-40E2-4EE6-B99E-6C97EBD0B383@rfc1035.com> <20101021132826.GA25451@srv03.cluenet.de> Message-ID: <6ED9CD59-05C6-4BE0-B064-EFA483AB0373@rfc1035.com> On 21 Oct 2010, at 14:28, Daniel Roesen wrote: >> If you don't like the current policy, you are welcome to suggest >> changes. > > The policy does not require personal ID copies kept by the NCC. OK, so you want to pick nits. If you don't like the *implementation* of the current policy, you are welcome to suggest changes. Or propose a policy that forbids the NCC to store copies of passports and similar documents. Rather than whine or explore rat-holes, please come forward with some constructive proposals. > I'm not sure we're able to do something about it via the policy > process > if NCC's lawyers say "ask for and keep a copy of IDs" to "be safe". Now you're making assumptions and possibly jumping to wrong conclusions. First, it's *your* NCC and it exists to serve its members. If it's not doing so, you absolutely can and should do something about that. The policy machinery and the organisation's bye- laws are the tools for those changes: changing/making policies, voting for the board, calling a General Meeting, etc. I don't know why the NCC is copying passports. It will be for a good reason. [Well, it had better be for a good reason...] Perhaps if this was further explained, we would all have a better understanding of the issue and what options are feasible for making changes? > Did you ever have to provide passport copy to online shops where you > buy > goods? No. I don't go shopping. And I generally don't buy stuff on-line. The web is full of marketing scumbags who think they are entitled to send me spam if I'm stupid enough to buy from them. I refuse to pay the entrance fee. From andrea at ripe.net Thu Oct 21 16:23:37 2010 From: andrea at ripe.net (Andrea Cima) Date: Thu, 21 Oct 2010 16:23:37 +0200 Subject: [ncc-services-wg] personal data in the NCC In-Reply-To: <4CBF04D5.3@futureinquestion.net> References: <1431415051.20101020112535@devnull.ru> <57F02740-2A1F-4005-A87E-46641C198373@ripe.net> <4CBF04D5.3@futureinquestion.net> Message-ID: <4CC04CE9.7030604@ripe.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear David, The RIPE Policy ripe-452, "Contractual Requirements for Provider Independent Resource Holders in the RIPE NCC Service Region", requires that End Users who receive independent resources from a sponsoring LIR have a contractual agreement with that LIR. Specifically, it states, "The intention of this policy document is to ensure that the RIPE NCC, as the intermediate manager of provider independent resource assignments to End Users, can confirm that the End User exists, continues to exist and that they continue to fulfil their obligations to comply with the original assignment conditions." The policy concludes, "without contractual links in place between the End User and the RIPE NCC, it is impossible for the RIPE NCC to fulfil its obligations of responsible stewardship of Internet resources." The full policy is available at: http://ripe.net/ripe/docs/ripe-452.html The RIPE NCC needs to have evidence of the contractual agreement, so we ask for a copy of the signed contract between the End User and the LIR, and the registration papers of the company requesting the resources. If the End User is not a registered company, we ask for identification. This is to ensure that the RIPE NCC has complete and correct data about the holder of the resources. The only other occasion when the RIPE NCC requests identification papers is if there are doubts about the validity of a contract. If this is the case, the RIPE NCC asks for the identification to ensure that the contracts are valid and that the person signing the contracts is a real person. However, this only happens on rare occasions and when the RIPE NCC believes it is absolutely necessary to confirm the validity of contracts. This is standard procedure for diligent verification of contracts. All personal data received by the RIPE NCC is handled in an appropriate manner and in accordance with our Privacy Statement. The RIPE NCC will only discuss individual cases with the LIR concerned, and this is something we are always happy to do. I hope this clarifies matters and answers your question. If you have any further questions, please feel free to contact me. Best regards, Andrea Cima Registration Services Manager RIPE NCC David Monosov wrote: > Dear Andrew, > > In your e-mail, you state: > >> As a registry, the RIPE NCC has a mandate to ensure the accuracy of our >> registration data. Verifying the identity of LIR representatives is directly >> relevant to this mandate. >> > > It is however my understanding that the question of Mr. Myasoedov relates to PI > resources assigned to end users through the LIR in which he is a representative, > where the end user is an organization, and the requested personal identification > documents were required for the representatives of the end user organization, > rather than the LIR itself. > > The intention of the RIPE NCC to not only collect personal identification > documents from representatives of organizational end users, but to externalize > this burden to individual LIRs which process PI requests on behalf of end users > was not apparent from proposal 2007-01, nor from subsequent operational > discussions on its implementation. > > Instead, it was understood, and has previously been the operational reality, > that organizational users will submit a certificate of incorporation or similar > document attesting the organization's existence under the laws of their country > of origin, and a contract which meets the requirements outlined in policy > proposal 2007-01. > > Could you please elaborate on the circumstances which required this deviation > from the standard operational procedure and the situations in which this new > condition will be invoked? > > Such unannounced changes can be very disruptive to an established administrative > workflow between a LIR and its end users if imposed suddenly, and while I am > certain that the RIPE NCC is acting with the goal of improving accountability in > resource assignment, a balance must be maintained between the mandate the > community has granted the RIPE NCC with the introduction of policy 2007-01, and > its ability to spontaneously introduce new administrative conditions to resource > assignment. > > -- > Respectfully yours, > > David Monosov > > > On 10/20/2010 03:11 PM, Andrew de la Haye wrote: >> Dear Sergey, >> >> Thank you for your email. All personal data obtained by the RIPE NCC is handled >> in accordance with Dutch law and European Union data protection legislation, as >> required for an organisation operating in the Netherlands. >> >> The RIPE NCC Privacy Statement is publicly available on the RIPE website, and >> describes the situations in which personal data may be requested and the RIPE >> NCC's responsibilities when handling such data: >> http://www.ripe.net/legal/privacy-statement.html >> >> Please note the following sections: >> - "Except as described herein or when under a statutory duty to do so, the RIPE >> NCC does not share or transfer any personal data." [Section 2.1] >> - "The RIPE NCC maintains a high level of physical security and protection for >> all its computer and network facilities, and, in particular, for those in which >> personal information may be stored." [Section 3] >> >> As a registry, the RIPE NCC has a mandate to ensure the accuracy of our >> registration data. Verifying the identity of LIR representatives is directly >> relevant to this mandate. >> >> I hope this clarifies the RIPE NCC's position in relation to this matter. >> >> Best regards, >> >> Andrew de la Haye >> Chief Operations Officer, RIPE NCC >> >> >> >> >> >> On Oct 20, 2010, at 11:25 AM, Sergey Myasoedov wrote: >> >>> Hello, >>> >>> I would like to talk about personal data protection. After the audit process, >>> NCC demands >>> that we send them, together with the contract, the ID of person who signs the >>> End User >>> assignment contract (even if the contract is signed by a person on behalf of >>> company). >>> >>> It seems strange: the CEO of company that wants IP resources signs the >>> contract, probably >>> stamps it and suddenly (!) RIPE NCC asks for the ID of CEO. We (LIR) have no >>> choice on such >>> operations - we should request ID or RIPE NCC will not assign resources for >>> our customers. >>> >>> Even more, RIPE NCC requires scans of ID, and this action violates local laws >>> in some >>> countries (for example, CZ or RU). In Russia, personal data can be processed >>> only after a >>> special agreement (except some cases mentioned in the law), but we will send >>> the ID images >>> without any special agreements to the NCC. >>> >>> I tried to find some statements on data protection in the RIPE NCC or on any >>> guarantee of >>> confidentiality, but no such information found in the standard service >>> agreement or any >>> policy documents. >>> >>> On these grounds, I would like to initiate a change. RIPE NCC should have data >>> protection >>> procedures or RIPE NCC should not request personal IDs of third parties. >>> >>> >>> -- >>> Sergey >>> > -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.11 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkzATOkACgkQXOgsmPkFrjM9pgCgmqNsEpLlc9c7pFH2U74AMxkh amAAoI6xf2guTElG3eHzmJI7JbGff6Nu =XvUw -----END PGP SIGNATURE----- From dr at cluenet.de Thu Oct 21 17:24:51 2010 From: dr at cluenet.de (Daniel Roesen) Date: Thu, 21 Oct 2010 17:24:51 +0200 Subject: [ncc-services-wg] Re: Re: Re: personal data in the NCC In-Reply-To: <6ED9CD59-05C6-4BE0-B064-EFA483AB0373@rfc1035.com> References: <4CBED136.7000602@burkov.aha.ru> <465243455.20101020133102@devnull.ru> <4CBED8A6.10900@burkov.aha.ru> <411BB54B-AFD3-43C2-8A6E-96370DD42A69@rfc1035.com> <4CBEE722.6040805@ripn.net> <20101020192918.GA9453@srv03.cluenet.de> <72FCA079-40E2-4EE6-B99E-6C97EBD0B383@rfc1035.com> <20101021132826.GA25451@srv03.cluenet.de> <6ED9CD59-05C6-4BE0-B064-EFA483AB0373@rfc1035.com> Message-ID: <20101021152451.GA1216@srv03.cluenet.de> On Thu, Oct 21, 2010 at 02:49:56PM +0100, Jim Reid wrote: >>> If you don't like the current policy, you are welcome to suggest changes. >> >> The policy does not require personal ID copies kept by the NCC. > > OK, so you want to pick nits. That's not nit picking. I just pointed out that there is a distinction between policy (what "we" decided) and implementation (what NCC made out of the policy framework 2007-01). You certainly have a point that the policy probably gives too much a card blanche about implementation to NCC, allowing NCC to be overly heavy-handed about certain aspects. Did I interprete you correctly? I'm not a lawyer, and not into dutch contract law, so I'm not really qualified what the minimum certainty level is required for NCC (but I'm sure that no gov ID is required). So my suggestion would be for NCC to explain reasoning for such drastic measures and come forward with alternatives which they deem legally sufficient. Approaches (sole and/or in combination) I can immediately think of: - use LIR as authentication proxy - dummy financial transaction (e.g. credit card charge) - challenge-response via snail mail Regards, Daniel -- CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet -- PGP: 0xA85C8AA0 From gert at space.net Thu Oct 21 17:30:56 2010 From: gert at space.net (Gert Doering) Date: Thu, 21 Oct 2010 17:30:56 +0200 Subject: [ncc-services-wg] Re: Re: Re: personal data in the NCC In-Reply-To: <20101021152451.GA1216@srv03.cluenet.de> References: <465243455.20101020133102@devnull.ru> <4CBED8A6.10900@burkov.aha.ru> <411BB54B-AFD3-43C2-8A6E-96370DD42A69@rfc1035.com> <4CBEE722.6040805@ripn.net> <20101020192918.GA9453@srv03.cluenet.de> <72FCA079-40E2-4EE6-B99E-6C97EBD0B383@rfc1035.com> <20101021132826.GA25451@srv03.cluenet.de> <6ED9CD59-05C6-4BE0-B064-EFA483AB0373@rfc1035.com> <20101021152451.GA1216@srv03.cluenet.de> Message-ID: <20101021153056.GE32268@Space.Net> Hi, On Thu, Oct 21, 2010 at 05:24:51PM +0200, Daniel Roesen wrote: [..] > that the policy probably gives too much a card blanche about implementation > to NCC, allowing NCC to be overly heavy-handed about certain aspects. [..] It's interesting to note that at the same time, the RIPE NCC is getting flak from the anti-abuse folks about being too *liberal* in giving out resources to "fake" LIRs in certain countries. Between the lines I hear "this will be hard to get right" and "maybe we can have this on the agenda in the AGM"... Gert Doering -- LIR contact -- did you enable IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 From president at ukraine.su Thu Oct 21 17:50:48 2010 From: president at ukraine.su (Max Tulyev) Date: Thu, 21 Oct 2010 18:50:48 +0300 Subject: [ncc-services-wg] Re: Re: Re: personal data in the NCC In-Reply-To: <20101021153056.GE32268@Space.Net> References: <465243455.20101020133102@devnull.ru> <4CBED8A6.10900@burkov.aha.ru> <411BB54B-AFD3-43C2-8A6E-96370DD42A69@rfc1035.com> <4CBEE722.6040805@ripn.net> <20101020192918.GA9453@srv03.cluenet.de> <72FCA079-40E2-4EE6-B99E-6C97EBD0B383@rfc1035.com> <20101021132826.GA25451@srv03.cluenet.de> <6ED9CD59-05C6-4BE0-B064-EFA483AB0373@rfc1035.com> <20101021152451.GA1216@srv03.cluenet.de> <20101021153056.GE32268@Space.Net> Message-ID: <4CC06158.1040504@ukraine.su> 21.10.10 18:30, Gert Doering ???????(??): > It's interesting to note that at the same time, the RIPE NCC is getting > flak from the anti-abuse folks about being too *liberal* in giving out > resources to "fake" LIRs in certain countries. May be that's because of there is a big difference between the bureaucracy demands and the real checking? ;) -- WBR, Max Tulyev (MT6561-RIPE, 2:463/253 at FIDO) From gert at space.net Thu Oct 21 18:04:39 2010 From: gert at space.net (Gert Doering) Date: Thu, 21 Oct 2010 18:04:39 +0200 Subject: [ncc-services-wg] Re: Re: Re: personal data in the NCC In-Reply-To: <4CC06158.1040504@ukraine.su> References: <4CBED8A6.10900@burkov.aha.ru> <411BB54B-AFD3-43C2-8A6E-96370DD42A69@rfc1035.com> <4CBEE722.6040805@ripn.net> <20101020192918.GA9453@srv03.cluenet.de> <72FCA079-40E2-4EE6-B99E-6C97EBD0B383@rfc1035.com> <20101021132826.GA25451@srv03.cluenet.de> <6ED9CD59-05C6-4BE0-B064-EFA483AB0373@rfc1035.com> <20101021152451.GA1216@srv03.cluenet.de> <20101021153056.GE32268@Space.Net> <4CC06158.1040504@ukraine.su> Message-ID: <20101021160439.GI32268@Space.Net> Hi, On Thu, Oct 21, 2010 at 06:50:48PM +0300, Max Tulyev wrote: > 21.10.10 18:30, Gert Doering ??????????????(????): > > It's interesting to note that at the same time, the RIPE NCC is getting > > flak from the anti-abuse folks about being too *liberal* in giving out > > resources to "fake" LIRs in certain countries. > > May be that's because of there is a big difference between the > bureaucracy demands and the real checking? ;) So what would you suggest? (Sincere question, I have no experience with "validating the existance of an organization" outside my country). Gert Doering -- did you enable IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 From jim at rfc1035.com Thu Oct 21 18:09:41 2010 From: jim at rfc1035.com (Jim Reid) Date: Thu, 21 Oct 2010 17:09:41 +0100 Subject: [ncc-services-wg] implementation of 2007-01 In-Reply-To: <20101021152451.GA1216@srv03.cluenet.de> References: <4CBED136.7000602@burkov.aha.ru> <465243455.20101020133102@devnull.ru> <4CBED8A6.10900@burkov.aha.ru> <411BB54B-AFD3-43C2-8A6E-96370DD42A69@rfc1035.com> <4CBEE722.6040805@ripn.net> <20101020192918.GA9453@srv03.cluenet.de> <72FCA079-40E2-4EE6-B99E-6C97EBD0B383@rfc1035.com> <20101021132826.GA25451@srv03.cluenet.de> <6ED9CD59-05C6-4BE0-B064-EFA483AB0373@rfc1035.com> <20101021152451.GA1216@srv03.cluenet.de> Message-ID: On 21 Oct 2010, at 16:24, Daniel Roesen wrote: > You certainly have a point that the policy probably gives too much a > card blanche about implementation to NCC, allowing NCC to be overly > heavy-handed about certain aspects. Did I interprete you correctly? Not quite. I didn't say the NCC was being overly heavy-handed. The policy did leave the NCC to work out the implementation detail. Which is usually fine. Nobody else really wants to get involved in that and sometimes implementation depends on internal procedures and operations at the NCC itself. So RIPE as a general rule would leave the NCC to get on with this and trust them to do the Right Thing. This is how it should be. And if things are not going right, there are feedback controls to deal with that. Now if the implementation of this policy is causing problems, then there are existing mechanisms which can be used to address them. A quiet word with the CEO or a Board Member can usually help. [Axel, I don't want the NCC to have a copy of my passport: what's the story here?] If the difficulties are more complex and not easily rectified, then there are more formal mechanisms. Like proposing a new policy or changing an existing one. I think we've thrashed this issue to death by now. So the next stage is finding out what the underlying problem is and what other implementation details can be used to deal with them. Over to you... From sergey at devnull.ru Thu Oct 21 18:10:39 2010 From: sergey at devnull.ru (Sergey Myasoedov) Date: Thu, 21 Oct 2010 18:10:39 +0200 Subject: [ncc-services-wg] Re: Re: Re: personal data in the NCC In-Reply-To: <20101021160439.GI32268@Space.Net> References: <4CBED8A6.10900@burkov.aha.ru> <411BB54B-AFD3-43C2-8A6E-96370DD42A69@rfc1035.com> <4CBEE722.6040805@ripn.net> <20101020192918.GA9453@srv03.cluenet.de> <72FCA079-40E2-4EE6-B99E-6C97EBD0B383@rfc1035.com> <20101021132826.GA25451@srv03.cluenet.de> <6ED9CD59-05C6-4BE0-B064-EFA483AB0373@rfc1035.com> <20101021152451.GA1216@srv03.cluenet.de> <20101021153056.GE32268@Space.Net> <4CC06158.1040504@ukraine.su> <20101021160439.GI32268@Space.Net> Message-ID: <1886128159.20101021181039@devnull.ru> Gert, for most of service region countries it is possible to perform an online check of legal entity existance. Within the EU, VAT payers can be checked. Thursday, October 21, 2010, 6:04:39 PM, you wrote: >> May be that's because of there is a big difference between the >> bureaucracy demands and the real checking? ;) GD> So what would you suggest? (Sincere question, I have no experience GD> with "validating the existance of an organization" outside my country). -- Sergey From marcoh at marcoh.net Thu Oct 21 18:44:48 2010 From: marcoh at marcoh.net (Marco Hogewoning) Date: Thu, 21 Oct 2010 19:44:48 +0300 Subject: [ncc-services-wg] Re: Re: Re: personal data in the NCC In-Reply-To: <1886128159.20101021181039@devnull.ru> References: <4CBED8A6.10900@burkov.aha.ru> <411BB54B-AFD3-43C2-8A6E-96370DD42A69@rfc1035.com> <4CBEE722.6040805@ripn.net> <20101020192918.GA9453@srv03.cluenet.de> <72FCA079-40E2-4EE6-B99E-6C97EBD0B383@rfc1035.com> <20101021132826.GA25451@srv03.cluenet.de> <6ED9CD59-05C6-4BE0-B064-EFA483AB0373@rfc1035.com> <20101021152451.GA1216@srv03.cluenet.de> <20101021153056.GE32268@Space.Net> <4CC06158.1040504@ukraine.su> <20101021160439.GI32268@Space.Net> <1886128159.20101021181039@devnull.ru> Message-ID: And what about the 95% of the service region which is not part of the EU ? On Oct 21, 2010, at 7:10 PM, Sergey Myasoedov wrote: > Gert, > > for most of service region countries it is possible to perform an online check of legal > entity existance. > > Within the EU, VAT payers can be checked. > > > Thursday, October 21, 2010, 6:04:39 PM, you wrote: > >>> May be that's because of there is a big difference between the >>> bureaucracy demands and the real checking? ;) > GD> So what would you suggest? (Sincere question, I have no experience > GD> with "validating the existance of an organization" outside my country). > > > > -- > Sergey > From dr at cluenet.de Thu Oct 21 21:01:33 2010 From: dr at cluenet.de (Daniel Roesen) Date: Thu, 21 Oct 2010 21:01:33 +0200 Subject: [ncc-services-wg] Re: Re: Re: Re: personal data in the NCC In-Reply-To: <1886128159.20101021181039@devnull.ru> References: <4CBEE722.6040805@ripn.net> <20101020192918.GA9453@srv03.cluenet.de> <72FCA079-40E2-4EE6-B99E-6C97EBD0B383@rfc1035.com> <20101021132826.GA25451@srv03.cluenet.de> <6ED9CD59-05C6-4BE0-B064-EFA483AB0373@rfc1035.com> <20101021152451.GA1216@srv03.cluenet.de> <20101021153056.GE32268@Space.Net> <4CC06158.1040504@ukraine.su> <20101021160439.GI32268@Space.Net> <1886128159.20101021181039@devnull.ru> Message-ID: <20101021190133.GA18276@srv03.cluenet.de> On Thu, Oct 21, 2010 at 06:10:39PM +0200, Sergey Myasoedov wrote: > for most of service region countries it is possible to perform an > online check of legal entity existance. And what about natural persons? End Users aren't necessarily businesses. Best regards, Daniel -- CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet -- PGP: 0xA85C8AA0 From dr at cluenet.de Thu Oct 21 21:23:29 2010 From: dr at cluenet.de (Daniel Roesen) Date: Thu, 21 Oct 2010 21:23:29 +0200 Subject: [ncc-services-wg] Re: implementation of 2007-01 In-Reply-To: References: <4CBED8A6.10900@burkov.aha.ru> <411BB54B-AFD3-43C2-8A6E-96370DD42A69@rfc1035.com> <4CBEE722.6040805@ripn.net> <20101020192918.GA9453@srv03.cluenet.de> <72FCA079-40E2-4EE6-B99E-6C97EBD0B383@rfc1035.com> <20101021132826.GA25451@srv03.cluenet.de> <6ED9CD59-05C6-4BE0-B064-EFA483AB0373@rfc1035.com> <20101021152451.GA1216@srv03.cluenet.de> Message-ID: <20101021192329.GB18276@srv03.cluenet.de> On Thu, Oct 21, 2010 at 05:09:41PM +0100, Jim Reid wrote: >> You certainly have a point that the policy probably gives too much a card >> blanche about implementation to NCC, allowing NCC to be overly >> heavy-handed about certain aspects. Did I interprete you correctly? > > Not quite. I didn't say the NCC was being overly heavy-handed. I didn't state that you did say that. "allowing NCC to..." is a consequence of the carte blanche. "heavy-handed" was my own characterization. I didn't mean to lay that in your mouth. Sorry, English is not my native language. Apologies of not being clear enough. > The policy did leave the NCC to work out the implementation detail. Which > is usually fine. Agreed. > Nobody else really wants to get involved in that and sometimes > implementation depends on internal procedures and operations at > the NCC itself. So RIPE as a general rule would leave the NCC to get on > with this and trust them to do the Right Thing. This is how it should be. Agreed as well. > Now if the implementation of this policy is causing problems, then there > are existing mechanisms which can be used to address them. A quiet word > with the CEO or a Board Member can usually help. [Axel, I don't want the > NCC to have a copy of my passport: what's the story here?] Well, the usual party line brought forward is "if you have an issue, bring it up on the mailing lists". Now we're doing that, and are being suggested to go private with execs first. Hrm. Regards, Daniel -- CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet -- PGP: 0xA85C8AA0 From jim at rfc1035.com Thu Oct 21 21:38:58 2010 From: jim at rfc1035.com (Jim Reid) Date: Thu, 21 Oct 2010 20:38:58 +0100 Subject: [ncc-services-wg] Re: implementation of 2007-01 In-Reply-To: <20101021192329.GB18276@srv03.cluenet.de> References: <4CBED8A6.10900@burkov.aha.ru> <411BB54B-AFD3-43C2-8A6E-96370DD42A69@rfc1035.com> <4CBEE722.6040805@ripn.net> <20101020192918.GA9453@srv03.cluenet.de> <72FCA079-40E2-4EE6-B99E-6C97EBD0B383@rfc1035.com> <20101021132826.GA25451@srv03.cluenet.de> <6ED9CD59-05C6-4BE0-B064-EFA483AB0373@rfc1035.com> <20101021152451.GA1216@srv03.cluenet.de> <20101021192329.GB18276@srv03.cluenet.de> Message-ID: <6E53024D-37ED-4486-B4A8-08A94AA251BE@rfc1035.com> On 21 Oct 2010, at 20:23, Daniel Roesen wrote: > Well, the usual party line brought forward is "if you have an issue, > bring it up on the mailing lists". Now we're doing that, and are being > suggested to go private with execs first. Hrm. I refer you to what I said in an earlier posting: please come forward with some constructive proposals. You didn't do that, at least not yet. The issue is at layer-9 or above, possibly in lawyer-land. Neither of us are lawyers or know why the NCC felt it had to take the action it did. So your mission, if you choose to accept it, is to nicely ask the NCC management to explain why copying passports is necessary. Once you have that info, you can raise this on the list for discussion instead of debating speculation. That info would also help someone submit a proposal to amend the policy which upsets you. Any such policy proposal will also need to be circulated, possibly here and in the AP WG. Clear? So now it's up to you. Please get some hard facts and make a positive contribution. That would greatly improve the signal to noise ratio which we'd all appreciate. From mir at ripe.net Fri Oct 22 13:44:01 2010 From: mir at ripe.net (Mirjam Kuehne) Date: Fri, 22 Oct 2010 13:44:01 +0200 Subject: [ncc-services-wg] Active Measurements (RIPE Atlas) - Registration Open Now Message-ID: <4CC17901.1010002@ripe.net> [Apologies for duplicate emails] Dear colleagues, The launch date of our new active measurements network, RIPE Atlas, is close. We already received a lot of interest and offers to host such a probe. Registration is now open! In this new RIPE Labs article, we explain some more details about how to participate in this effort: http://labs.ripe.net/Members/kistel/ripe-atlas-pre-registration-is-now-open For more information, please refer to earlier articles on the same topic: 1. Active Measurements Need More Vantage Points https://labs.ripe.net/Members/dfk/active-measurements-need-more-vantage-points 2. Active Measurements - A Small Probe https://labs.ripe.net/Members/dfk/a-small-probe-for-active-measurements?searchterm=Active 3. Active Measurements - Hosting a Probe https://labs.ripe.net/Members/dfk/active_measurements/hosting-a-probe-for-active-measurements 4. Wanted: Partners to Sponsor "RIPE Atlas" Effort http://labs.ripe.net/Members/dfk/active-measurements-sponsorship Kind Regards, Mirjam Kuehne RIPE NCC From agoston at ripe.net Fri Oct 22 13:31:03 2010 From: agoston at ripe.net (Agoston Horvath) Date: Fri, 22 Oct 2010 13:31:03 +0200 Subject: [ncc-services-wg] Outage Report for RIPE Database Updates Message-ID: <4CC175F7.2060509@ripe.net> [Apologies for duplicates] Dear colleagues, Between approximately 11:50 and 12:20 (UTC), 21 October 2010, we experienced an outage on the web server www.db.ripe.net. During this period it was not possible to connect to the syncupdates or webupdates services or use whois.cgi (the web-based GUI for whois queries). Services not depending on the HTTP protocol (whois queries, mailupdates) were not affected. We apologise for any inconvenience that this may have caused. Regards, Agoston Horvath Database Group RIPE NCC From mir at ripe.net Fri Oct 22 16:01:20 2010 From: mir at ripe.net (Mirjam Kuehne) Date: Fri, 22 Oct 2010 16:01:20 +0200 Subject: [ncc-services-wg] New and Improved RIPE Registry Global Resource Service Message-ID: <4CC19930.10004@ripe.net> [Apologies for duplicate emails] Dear colleagues, We have redesigned and improved the way we mirror other databases (Thanks to the RIPE NCC Database staff!). We now have a method of translating the operational data from other registries (for instance from other RIRs or the RADb) into the RIPE Database structure. This means the RIPE Database will contain the most complete set of operational data in (RIPE) RPSL format that has ever been available in one place. Read more on RIPE Labs: http://labs.ripe.net/Members/Paul_P_/ripe-registry-global-resource-service Kind Regards, Mirjam Kuehne RIPE NCC From hank at efes.iucc.ac.il Thu Oct 28 09:28:38 2010 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Thu, 28 Oct 2010 09:28:38 +0200 Subject: [ncc-services-wg] New RIPE NCC Procedural Document Available In-Reply-To: <4C2A18AC.1050007@ripe.net> References: <5.1.0.14.2.20100628175858.08875d30@efes.iucc.ac.il> <5.1.0.14.2.20100628175858.08875d30@efes.iucc.ac.il> Message-ID: <5.1.0.14.2.20101028092029.03663d20@efes.iucc.ac.il> At 18:00 29/06/2010 +0200, Arne Kiessling wrote: >Dear Hank, > >Thanks for your email. > >In answer to your first scenario: In order to move an independent Internet >resource assigned to an End User to another sponsoring LIR, the new >sponsoring LIR must submit an End User Assignment Agreement and the >registration documents of the End User's organisation. This ensures that >the new sponsoring LIR and the end user are aware of the changes. > >This is described in procedure document ripe-475 >(http://www.ripe.net/ripe/docs/ripe-475.html), 3.1 (Transfer between >Sponsoring LIRs). We are aware that this document also states that such >requests "must come from either the current or the new sponsoring LIR". >However, the old sponsoring LIR only needs to confirm that they agree with >these changes. Having a resource marked as "Not My End User" is seen as a >confirmation in this case. The RIPE NCC will inform both the former and >new sponsoring LIR when the requested updates have been processed. Because >the End Users know with which LIR they will sign an agreement, the best >option is to have the new sponsoring LIR contact the RIPE NCC and provide >the necessary documentation. > >End Users who are not going to sign an agreement with the current >sponsoring LIR are responsible finding a new sponsoring LIR and signing an >agreement with that LIR. The new sponsoring LIR then needs to provide the >required documents to the RIPE NCC who will evaluate the documentation, >approve it and move the resource to the new sponsoring LIR. > >Resources for which no documentation was submitted at the end of Phase 2 >will become part of Phase 3 of the policy implementation where the RIPE >NCC will contact the resource holders directly. > >In answer to your second scenario: If you've marked a resource as "Not my >End User" after communicating to the resource holder and informing them >that they will need to sign an agreement with a sponsoring LIR of their >choice, there is nothing else you have to do. > >Regarding the resources which are no longer in use, please note that >confirmation from the resource holder that they agree to release the >resource is still required, especially if it turns out that the resources >are actually still in use. Additionally, there might be other reasons why >a PI prefix is not visible in the global routing table. > >If there is no reply from the end user after a certain period of time (90 >days), the resources are de-registered. This is described in procedure >document ripe-475, 4 (De-registering of Independent Internet Number Resources). > >As per community feedback received during the recent 2007-01 update >presentation at RIPE 60, the RIPE NCC will draft a procedure for Phase 3 >of the policy implementation and send it to the RIPE NCC Services Working >Group Mailing List before starting the Phase 3 implementation. Phase 3 was published in August 2010: http://www.ripe.net/news/2007-01-phase3.html Has the RIPE NCC set a timeframe for implementing Phase 3? Regards, Hank >I hope that this has clarified the matter. Please let me know if you have >any further questions. > > >Kind regards, > >Arne Kiessling >IP Resource Analyst >RIPE NCC > > >Hank Nussbacher wrote: >>At 16:53 16/07/2009 +0200, Andrea Cima wrote: >> >>>[Apologies for duplicate emails] >>> >>>Dear Colleagues, >>> >>>The RIPE NCC has published a new RIPE NCC procedural document: >>>ripe-475, "Independent Internet Number Resources ? Contractual >>>Relationship Changes between sponsoring LIR and End User" >>> >>>This document describes the steps to be taken when there are changes in >>>the contractual relationship between the End User of independent >>>Internet number resources and the sponsoring Local Internet Registry >>>(LIR). It also describes the scenarios in which the RIPE NCC may >>>de-register independent Internet number resources and what happens to >>>those resources once they are de-registered. >>> >>>The new document is available at: >>>http://www.ripe.net/ripe/docs/ripe-475.html >>I'd like to once again raise this issue which I did a year ago and did >>not get sufficient answers. Here are two scenerios that are happening: >>- scenerio 1: I have marked a resource as "not my end user", yet RIPE >>responds as follows when I request that they move the resource from my >>LIR to the new sponsoring LIR: >>"We haven't received any documentation yet. >>Please inform the End User of ASxxxxx to ask from their new LIR to >>submit the transfer request in a new ticket in >>enduser-contract at ripe.net." >>I think after a year and about a dozen emails to the old user and the new >>sponsoring LIR I have gone beyond my responsibility on this matter. >>What does RIPE intend to do with those resources that the new sponsoring >>LIR or the end user just can't be bothered to do the registration >>change? If I mark a resource as "not my end user", why are they asking >>"please inform the end user..." >>- scenerio 2: I have marked a resource as "not my end user" and have >>heard from the end user that they have walked away from the resource. I >>have requested that RIPE delete this resource yet the answer I get from RIPE is >>"We did not receive any reply from the End User, so we >>can not return ASxxxx to the free pool without their confirmation. >>We will send another reminder to the End User." >>The end user will never respond since they no longer exist or don't care >>to respond. At what point will RIPE reclaim the resource? >>I think there should be clear written procedures for these cases. >>Regards, >>Hank From hank at efes.iucc.ac.il Thu Oct 28 09:11:06 2010 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Thu, 28 Oct 2010 09:11:06 +0200 Subject: [ncc-services-wg] voting on AGM In-Reply-To: <4AA37DE2.40504@ripe.net> References: <5.1.0.14.2.20090906083425.00c36210@efes.iucc.ac.il> <1B5BA12E-11F8-40CB-AFD6-F78DB56F2E7E@rfc1035.com> <4A9F5FB9.2040008@danysek.cz> <4AA002D0.9090507@ukraine.su> <4AA04FEB.90502@danysek.cz> <20090904070821.GT79272@Space.Net> <4AA0D6E0.40207@danysek.cz> <1B5BA12E-11F8-40CB-AFD6-F78DB56F2E7E@rfc1035.com> <5.1.0.14.2.20090906083425.00c36210@efes.iucc.ac.il> Message-ID: <5.1.0.14.2.20101028084948.0364dee0@efes.iucc.ac.il> At 11:16 06/09/2009 +0200, Axel Pawlik wrote: >Hank, all, > >>and so died the entire discussion thread of online voting. No one from >>RIPE NCC responded why electronic voting can't be implemented. > >It's not that it cannot be implemented. I said at the GM and later, that >I'd prefer not to invest the ressources at this time to implement a perfect >e-voting system, rather focussing on IPv4 run-out and 2007-01 >implementation support. Hence the idea to use postal ballots. > >However, during last week's board meeting, we discussed the topic >again. We acknowledge that there is a strong interest from members >to implement electronic voting through the LIR portal. I'm changing >priorities to have a system ready for the General Meeting in May 2010. > >Currently we are finishing the supporting documents for the next >General Meeting, to be posted this week, this will include a modification >to the Articles of Association to allow for a streamlined voting process >including for e-voting. Been a year, but here I go again, beating at this dead horse. The meeting next month allows proxy voting as detailed by Axel's email from yesterday: >Proxy Voting >------------- >If your organisation is to be represented by a third party, not being an >authorised employee or director, please fill out the proxy form and send >it to us by 3 November 2010. Any proxy sent to us after this date will not >be valid. The proxy form is available to download here: >http://www.ripe.net/membership/gm/gm-november2010/proxy.html If you go thru the effort of doing the proxy "thing", you will find that one cannot submit a scanned proxy form by email, rather one has to use a fax machine or postal mail. In this day and age, this just strikes me as ridiculous. But now back to e-voting. In the Articles: http://www.ripe.net/ripe/docs/articles-association.html section 17.1: 17.1 In addition to the possibility of the members to physically attend the meeting, the Executive Board may decide to open the possibility for the Members to attend the General Meeting through electronic means at a remote location and to vote through electronic means from a remote location. In addition the Executive Board may decide to open the possibility for the Members to electronically participate in deliberation at the General Meeting. The Executive Board shall regulate the (technical) procedure and the requirements for electronic attendance, voting and/or deliberation. The right to vote through electronic means shall only apply to Executive Board member elections. 1) Electronic voting for just executive board members is ridiculous as well. The more pressing issues are with charging schemes and other issues. Glad to see that this will be slightly changed as follows: http://www.ripe.net/membership/gm/gm-november2010/documents/changes-articles-association.html But it is limited to what the Executive Board decides should be voted upon. I think whatever is voted upon in person should be allowed to be voted upon electronically w/o the EB having to get involved. 2) Last time electronic voting was used, one *had* to vote within a 15 minute window of opportunity. If you missed it, then you couldn't vote. I own or have owned numerous stocks and they allow electronic voting not just for the BoD but for many other issues as well. And one can vote for a few weeks before the general membership meeting. Only an organization that really doesn't want electronic voting would implement a 15 minute window to vote. As of today, we have 32 voting members attending out of how many LIRs - 5000? Does that make for democracy? I highly doubt it. Regards, -Hank >Hope this helps, > >Axel From nigel at titley.com Thu Oct 28 11:39:08 2010 From: nigel at titley.com (Nigel Titley) Date: Thu, 28 Oct 2010 10:39:08 +0100 Subject: [ncc-services-wg] voting on AGM In-Reply-To: <5.1.0.14.2.20101028084948.0364dee0@efes.iucc.ac.il> References: <5.1.0.14.2.20090906083425.00c36210@efes.iucc.ac.il> <1B5BA12E-11F8-40CB-AFD6-F78DB56F2E7E@rfc1035.com> <4A9F5FB9.2040008@danysek.cz> <4AA002D0.9090507@ukraine.su> <4AA04FEB.90502@danysek.cz> <20090904070821.GT79272@Space.Net> <4AA0D6E0.40207@danysek.cz> <1B5BA12E-11F8-40CB-AFD6-F78DB56F2E7E@rfc1035.com> <5.1.0.14.2.20090906083425.00c36210@efes.iucc.ac.il> <5.1.0.14.2.20101028084948.0364dee0@efes.iucc.ac.il> Message-ID: <4CC944BC.8020206@titley.com> Hank, On 28/10/2010 08:11, Hank Nussbacher wrote: ..snip.. > I own or have owned numerous stocks and they allow electronic voting > not just for the BoD but for many other issues as well. And one can > vote for a few weeks before the general membership meeting. Only an > organization that really doesn't want electronic voting would > implement a 15 minute window to vote. I suspect that none of the companies in which you owned stocks were a Dutch Membership Association. It is for that reason that we have this ludicrous situation, which, I assure you, none of the Board are happy with either. We have taken legal advice on the matter and have been told that the system we've come up with is the only one we can legally use. Some background is probably helpful here. The concept of a Dutch membership association has its roots in the "water boards" or "/hoogheemraadschappen"/ set up to govern the "polders", the areas of reclaimed land, below sea level, for which the Netherlands is so well known. Government of these bodies was considered such an important matter (if you get things wrong, the sea comes in) that only those actually present at the meetings had the right to vote. The voting procedures for associations (and water boards) have retained this requirement down to the present day. A rather nice little explanation of the origin of the water boards, from which the Dutch associations draw their rules can be found at http://en.wikipedia.org/wiki/Water_board_%28Netherlands%29 Note that the water boards originally had the right to impose the death sentence for such offences as damaging dykes and drainage ditches. I sometimes wish that we had retained that right for suitable crimes against the internet.... but that is slightly off topic. We've managed to get agreement to change the rules to allow electronic voting but only on condition that we: 1. Webcast the General Meetings 2. Allow instantaneous voting within a defined timeslot The RIPE NCC was set up as an association for the tax benefits (we basically pay no tax at all). If the majority of the members want to change the constitution (basically winding up the RIPE NCC and reforming it as a regular limited liability company) and gain the ability to vote in advance of the GM for the payment of a higher membership fee then please let us know. > > As of today, we have 32 voting members attending out of how many LIRs > - 5000? Does that make for democracy? I highly doubt it. Absolutely agree. It is a source of continued pain to the board that representation of the membership is so poor at the GM (approximately 3% including proxies and remote voting). It's difficult to see what else we can do though, given the legal constraints under which we operate. Best regards Nigel Titley Chaiman, RIPE NCC Board -------------- next part -------------- An HTML attachment was scrubbed... URL: From joao at bondis.org Thu Oct 28 12:17:29 2010 From: joao at bondis.org (=?iso-8859-1?Q?Jo=E3o_Damas?=) Date: Thu, 28 Oct 2010 12:17:29 +0200 Subject: [ncc-services-wg] voting on AGM In-Reply-To: <4CC944BC.8020206@titley.com> References: <5.1.0.14.2.20090906083425.00c36210@efes.iucc.ac.il> <1B5BA12E-11F8-40CB-AFD6-F78DB56F2E7E@rfc1035.com> <4A9F5FB9.2040008@danysek.cz> <4AA002D0.9090507@ukraine.su> <4AA04FEB.90502@danysek.cz> <20090904070821.GT79272@Space.Net> <4AA0D6E0.40207@danysek.cz> <1B5BA12E-11F8-40CB-AFD6-F78DB56F2E7E@rfc1035.com> <5.1.0.14.2.20090906083425.00c36210@efes.iucc.ac.il> <5.1.0.14.2.20101028084948.0364dee0@efes.iucc.ac.il> <4CC944BC.8020206@titley.com> Message-ID: <728A03D9-4862-418F-AACE-D7A54451258B@bondis.org> Nigel, good background, now I know where water-boarding comes from ;) On 28 Oct 2010, at 11:39, Nigel Titley wrote: > > The RIPE NCC was set up as an association for the tax benefits (we basically pay no tax at all). If the majority of the members want to change the constitution (basically winding up the RIPE NCC and reforming it as a regular limited liability company) and gain the ability to vote in advance of the GM for the payment of a higher membership fee then please let us know. that is kind of a broad link that may or not have reason to be. Companies pay taxes on profits. In the absence of profit no tax is due (VAT is passed through, right?). So one could even argue that an LLC-type RIPE NCC would be cheaper as it would be a burden to accumulate huge reserves (which is where the current form seems to have most of its benefits) and so lower fees would be in order. Perhaps a more detailed analysis would be worth the time spent on it? Cost/benefit analysis? Joao From hank at efes.iucc.ac.il Thu Oct 28 12:41:15 2010 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Thu, 28 Oct 2010 12:41:15 +0200 Subject: [ncc-services-wg] voting on AGM In-Reply-To: <4CC94629.4020809@ripe.net> References: <5.1.0.14.2.20101028084948.0364dee0@efes.iucc.ac.il> <5.1.0.14.2.20090906083425.00c36210@efes.iucc.ac.il> <1B5BA12E-11F8-40CB-AFD6-F78DB56F2E7E@rfc1035.com> <4A9F5FB9.2040008@danysek.cz> <4AA002D0.9090507@ukraine.su> <4AA04FEB.90502@danysek.cz> <20090904070821.GT79272@Space.Net> <4AA0D6E0.40207@danysek.cz> <1B5BA12E-11F8-40CB-AFD6-F78DB56F2E7E@rfc1035.com> <5.1.0.14.2.20090906083425.00c36210@efes.iucc.ac.il> <5.1.0.14.2.20101028084948.0364dee0@efes.iucc.ac.il> Message-ID: <5.1.0.14.2.20101028123325.00c1ed28@efes.iucc.ac.il> At 11:45 28/10/2010 +0200, Axel Pawlik wrote: > > 2) Last time electronic voting was used, one *had* to vote within a 15 > > minute window of opportunity. If you missed it, then you couldn't vote. > >This is actually required by local law, which requires attendees / voters >to be able to fully follow the meeting and discussions. Thanks for the quick reply. The one item that still rankles me is the one above. Does this mean that any company listed on AEX and has a shareholders meeting - everyone has to be online at the time to vote? I suggest this issue be rechecked. Can anyone familiar with AMS-IX comment on their news item: http://www.ams-ix.net/ ------------------------- 14 October 2010, e-voting is back at AMS-IX In 2005, when the Dutch law allowed electronic voting officially, AMS-IX was quick to adopt an e-voting process. Any useful Internet based application, of course, is encouraged by AMS-IX. We checked with our lawyers at the time, who confirmed we could e-vote since we allowed any other means of voting, as it was now officially allowed and as Dutch law is quite pragmatic. Together with a company called Netvote, who at that time were the only ones with a ready notary approved electronic voting platform, we set up an AMS-IX dedicated environment. We used it satisfactory until end of last year. ------------------------- They too require you to be online at the time? Regards, Hank From nigel at titley.com Thu Oct 28 12:47:58 2010 From: nigel at titley.com (Nigel Titley) Date: Thu, 28 Oct 2010 11:47:58 +0100 Subject: [ncc-services-wg] voting on AGM In-Reply-To: <5.1.0.14.2.20101028123325.00c1ed28@efes.iucc.ac.il> References: <5.1.0.14.2.20101028084948.0364dee0@efes.iucc.ac.il> <5.1.0.14.2.20090906083425.00c36210@efes.iucc.ac.il> <1B5BA12E-11F8-40CB-AFD6-F78DB56F2E7E@rfc1035.com> <4A9F5FB9.2040008@danysek.cz> <4AA002D0.9090507@ukraine.su> <4AA04FEB.90502@danysek.cz> <20090904070821.GT79272@Space.Net> <4AA0D6E0.40207@danysek.cz> <1B5BA12E-11F8-40CB-AFD6-F78DB56F2E7E@rfc1035.com> <5.1.0.14.2.20090906083425.00c36210@efes.iucc.ac.il> <5.1.0.14.2.20101028084948.0364dee0@efes.iucc.ac.il> <5.1.0.14.2.20101028123325.00c1ed28@efes.iucc.ac.il> Message-ID: <4CC954DE.9050306@titley.com> On 28/10/2010 11:41, Hank Nussbacher wrote: > At 11:45 28/10/2010 +0200, Axel Pawlik wrote: >> > 2) Last time electronic voting was used, one *had* to vote within a 15 >> > minute window of opportunity. If you missed it, then you couldn't >> vote. >> >> This is actually required by local law, which requires attendees / >> voters >> to be able to fully follow the meeting and discussions. > > Thanks for the quick reply. The one item that still rankles me is the > one above. Does this mean that any company listed on AEX and has a > shareholders meeting - everyone has to be online at the time to vote? > I suggest this issue be rechecked. I've asked Axel to do this Nigel From axel.pawlik at ripe.net Thu Oct 28 11:45:13 2010 From: axel.pawlik at ripe.net (Axel Pawlik) Date: Thu, 28 Oct 2010 11:45:13 +0200 Subject: [ncc-services-wg] voting on AGM In-Reply-To: <5.1.0.14.2.20101028084948.0364dee0@efes.iucc.ac.il> References: <5.1.0.14.2.20090906083425.00c36210@efes.iucc.ac.il> <1B5BA12E-11F8-40CB-AFD6-F78DB56F2E7E@rfc1035.com> <4A9F5FB9.2040008@danysek.cz> <4AA002D0.9090507@ukraine.su> <4AA04FEB.90502@danysek.cz> <20090904070821.GT79272@Space.Net> <4AA0D6E0.40207@danysek.cz> <1B5BA12E-11F8-40CB-AFD6-F78DB56F2E7E@rfc1035.com> <5.1.0.14.2.20090906083425.00c36210@efes.iucc.ac.il> <5.1.0.14.2.20101028084948.0364dee0@efes.iucc.ac.il> Message-ID: <4CC94629.4020809@ripe.net> Hank, all, > Been a year, but here I go again, beating at this dead horse. it's still breathing... :-) > If you go thru the effort of doing the proxy "thing", you will find that > one cannot submit a scanned proxy form by email, rather one has to use a > fax machine or postal mail. In this day and age, this just strikes me > as ridiculous. And it is. Thanks for pointing that out. We're changing this and are about to send out an update. > But now back to e-voting. In the Articles: > http://www.ripe.net/ripe/docs/articles-association.html > section 17.1: > 17.1 In addition to the possibility of the members to physically attend > the meeting, the Executive Board may decide to open the possibility for > the Members to attend the General Meeting through electronic means at a > remote location and to vote through electronic means from a remote > location. In addition the Executive Board may decide to open the > possibility for the Members to electronically participate in > deliberation at the General Meeting. The Executive Board shall regulate > the (technical) procedure and the requirements for electronic > attendance, voting and/or deliberation. The right to vote through > electronic means shall only apply to Executive Board member elections. > > 1) Electronic voting for just executive board members is ridiculous as > well. The more pressing issues are with charging schemes and other > issues. Glad to see that this will be slightly changed as follows: > http://www.ripe.net/membership/gm/gm-november2010/documents/changes-articles-association.html Indeed. We introduced e-voting primarily in response to members' comments about the rather arcane election procedure at the time. We've done it now once, and were satisfied that it seemed to work quite well. As you say, we are now preparing the article change that would enable e-voting on other topics as well, without further article change. > But it is limited to what the Executive Board decides should be voted > upon. I think whatever is voted upon in person should be allowed to be > voted upon electronically w/o the EB having to get involved. Without trying to speak for the board, this would be the general intention. However, we would like to discuss how the procedures for this would impact the GM. > 2) Last time electronic voting was used, one *had* to vote within a 15 > minute window of opportunity. If you missed it, then you couldn't vote. This is actually required by local law, which requires attendees / voters to be able to fully follow the meeting and discussions. > As of today, we have 32 voting members attending out of how many LIRs - > 5000? We have more than 7000 members this year. At the last GM, more than 200 votes where cast. Since we hold GMs during the RIPE Meeting week, attendance has gone up significantly. But yes, participation could be much better. Does that make for democracy? I highly doubt it. Sure it does. All members have the opportunity to vote, if they so wish. Is the current participation as high as we would want it to be? Clearly not. Looking forward to the next GM, eager to see the trend continuing and attendance improving. cheers, Axel From jim at rfc1035.com Thu Oct 28 12:55:00 2010 From: jim at rfc1035.com (Jim Reid) Date: Thu, 28 Oct 2010 11:55:00 +0100 Subject: [ncc-services-wg] turning the NCC into a "regular' company In-Reply-To: <728A03D9-4862-418F-AACE-D7A54451258B@bondis.org> References: <5.1.0.14.2.20090906083425.00c36210@efes.iucc.ac.il> <1B5BA12E-11F8-40CB-AFD6-F78DB56F2E7E@rfc1035.com> <4A9F5FB9.2040008@danysek.cz> <4AA002D0.9090507@ukraine.su> <4AA04FEB.90502@danysek.cz> <20090904070821.GT79272@Space.Net> <4AA0D6E0.40207@danysek.cz> <1B5BA12E-11F8-40CB-AFD6-F78DB56F2E7E@rfc1035.com> <5.1.0.14.2.20090906083425.00c36210@efes.iucc.ac.il> <5.1.0.14.2.20101028084948.0364dee0@efes.iucc.ac.il> <4CC944BC.8020206@titley.com> <728A03D9-4862-418F-AACE-D7A54451258B@bondis.org> Message-ID: On 28 Oct 2010, at 11:17, Jo?o Damas wrote: > that is kind of a broad link that may or not have reason to be. > Companies pay taxes on profits. In the absence of profit no tax is > due (VAT is passed through, right?). So one could even argue that an > LLC-type RIPE NCC would be cheaper as it would be a burden to > accumulate huge reserves (which is where the current form seems to > have most of its benefits) and so lower fees would be in order. Well Joao, the first problem with this scheme is the NCC would presumably first have to raise its fees in order to build up huge reserves which would enable it to fund lower fees. Though if the NCC was making healthy profits, I'm sure the organisation and/or membership will find a way to spend these on special projects and get back to break-even. Call it the financial variation on Parkinson's law. The next problem is if the NCC was to demutualise it may well have unpleasant consequences. Like speculators buying up shares to take a controlling interest in the company or to swipe the cash reserves as a special dividend. There are obvious parallels with what happened to UK financial organisations that demutualised in the 1980s and 1990s. Carpet-baggers swooped in, raided the reserves and cashed out. Another issue is this LLC scheme probably needs a public limited company because its shares would have to be openly traded so anyone can become a shareholder rather than a member as at present. That makes the organisation open to capture. It would also have to act in the best interests of its shareholders. Which might not be the same as the best interests of the current membership or the broader Internet: "we can save tons of costs and get bigger dividends by no longer funding that pesky root server". Public companies have higher burdens for financial reporting and audits too. Even if the NCC was to become an LLC, I doubt it would make much difference to fees in the long run. Assuming the membership/ shareholders remained stable and the organisation continued along its current path, it's unlikely we'd see much change from the existing financial regime or a broadly break-even annual budget and one year's cash as reserves. Still, it would be interesting for someone to do a proper cost/benefit analysis. It wouldn't hurt to question or review establishes wisdom every now and then. From nigel.titley at easynet.com Thu Oct 28 12:41:24 2010 From: nigel.titley at easynet.com (Nigel Titley) Date: Thu, 28 Oct 2010 10:41:24 +0000 Subject: [ncc-services-wg] voting on AGM In-Reply-To: <728A03D9-4862-418F-AACE-D7A54451258B@bondis.org> References: <5.1.0.14.2.20090906083425.00c36210@efes.iucc.ac.il> <1B5BA12E-11F8-40CB-AFD6-F78DB56F2E7E@rfc1035.com> <4A9F5FB9.2040008@danysek.cz> <4AA002D0.9090507@ukraine.su> <4AA04FEB.90502@danysek.cz> <20090904070821.GT79272@Space.Net> <4AA0D6E0.40207@danysek.cz> <1B5BA12E-11F8-40CB-AFD6-F78DB56F2E7E@rfc1035.com> <5.1.0.14.2.20090906083425.00c36210@efes.iucc.ac.il> <5.1.0.14.2.20101028084948.0364dee0@efes.iucc.ac.il> <4CC944BC.8020206@titley.com>,<728A03D9-4862-418F-AACE-D7A54451258B@bondis.org> Message-ID: Joao Certainly worth looking at the cost/benefits of ditching the association status. There are other reasons for the association vehicle of course but it might be worth doing a review. Some of the original constraints no longer apply (Terena was still uncertain that this internet thingie would catch on, which is at the back of some of the more obscure bits in the Articles, including the clearing house funds). As I say, if the members want it, the board is there to ascertain and execute your wishes. All the best Nigel ________________________________________ From: ncc-services-wg-admin at ripe.net [ncc-services-wg-admin at ripe.net] on behalf of Jo?o Damas [joao at bondis.org] Sent: 28 October 2010 11:17 To: Nigel Titley Cc: ncc-services-wg at ripe.net Subject: Re: [ncc-services-wg] voting on AGM Nigel, good background, now I know where water-boarding comes from ;) On 28 Oct 2010, at 11:39, Nigel Titley wrote: > > The RIPE NCC was set up as an association for the tax benefits (we basically pay no tax at all). If the majority of the members want to change the constitution (basically winding up the RIPE NCC and reforming it as a regular limited liability company) and gain the ability to vote in advance of the GM for the payment of a higher membership fee then please let us know. that is kind of a broad link that may or not have reason to be. Companies pay taxes on profits. In the absence of profit no tax is due (VAT is passed through, right?). So one could even argue that an LLC-type RIPE NCC would be cheaper as it would be a burden to accumulate huge reserves (which is where the current form seems to have most of its benefits) and so lower fees would be in order. Perhaps a more detailed analysis would be worth the time spent on it? Cost/benefit analysis? Joao From joao at bondis.org Thu Oct 28 13:09:12 2010 From: joao at bondis.org (=?iso-8859-1?Q?Jo=E3o_Damas?=) Date: Thu, 28 Oct 2010 13:09:12 +0200 Subject: [ncc-services-wg] voting on AGM In-Reply-To: References: <5.1.0.14.2.20090906083425.00c36210@efes.iucc.ac.il> <1B5BA12E-11F8-40CB-AFD6-F78DB56F2E7E@rfc1035.com> <4A9F5FB9.2040008@danysek.cz> <4AA002D0.9090507@ukraine.su> <4AA04FEB.90502@danysek.cz> <20090904070821.GT79272@Space.Net> <4AA0D6E0.40207@danysek.cz> <1B5BA12E-11F8-40CB-AFD6-F78DB56F2E7E@rfc1035.com> <5.1.0.14.2.20090906083425.00c36210@efes.iucc.ac.il> <5.1.0.14.2.20101028084948.0364dee0@efes.iucc.ac.il> <4CC944BC.8020206@titley.com>,<728A03D9-4862-418F-AACE-D7A54451258B@bondis.org> Message-ID: On 28 Oct 2010, at 12:41, Nigel Titley wrote: > Joao > > Certainly worth looking at the cost/benefits of ditching the association status. There are other reasons for the association vehicle of course but it might be worth doing a review. A review would bring better foundations for discussions. It may also help push the current association model farther by illuminating on what is being missed, but comparing with other ways of doing things. I just don't like the sort of Jedi-like hand wave you seemed to be using here. > Some of the original constraints no longer apply (Terena was still uncertain that this internet thingie would catch on, which is at the back of some of the more obscure bits in the Articles, including the clearing house funds). Yep. Note that having a reserve is something any sane company should be doing in any case, so don't go overboard. Joao From joao at bondis.org Thu Oct 28 13:11:41 2010 From: joao at bondis.org (=?iso-8859-1?Q?Jo=E3o_Damas?=) Date: Thu, 28 Oct 2010 13:11:41 +0200 Subject: [ncc-services-wg] turning the NCC into a "regular' company In-Reply-To: References: <5.1.0.14.2.20090906083425.00c36210@efes.iucc.ac.il> <1B5BA12E-11F8-40CB-AFD6-F78DB56F2E7E@rfc1035.com> <4A9F5FB9.2040008@danysek.cz> <4AA002D0.9090507@ukraine.su> <4AA04FEB.90502@danysek.cz> <20090904070821.GT79272@Space.Net> <4AA0D6E0.40207@danysek.cz> <1B5BA12E-11F8-40CB-AFD6-F78DB56F2E7E@rfc1035.com> <5.1.0.14.2.20090906083425.00c36210@efes.iucc.ac.il> <5.1.0.14.2.20101028084948.0364dee0@efes.iucc.ac.il> <4CC944BC.8020206@titley.com> <728A03D9-4862-418F-AACE-D7A54451258B@bondis.org> Message-ID: I would rather wait to see what the NCC might report back on this. Joao On 28 Oct 2010, at 12:55, Jim Reid wrote: > On 28 Oct 2010, at 11:17, Jo?o Damas wrote: > >> that is kind of a broad link that may or not have reason to be. Companies pay taxes on profits. In the absence of profit no tax is due (VAT is passed through, right?). So one could even argue that an LLC-type RIPE NCC would be cheaper as it would be a burden to accumulate huge reserves (which is where the current form seems to have most of its benefits) and so lower fees would be in order. > > Well Joao, the first problem with this scheme is the NCC would presumably first have to raise its fees in order to build up huge reserves which would enable it to fund lower fees. Though if the NCC was making healthy profits, I'm sure the organisation and/or membership will find a way to spend these on special projects and get back to break-even. Call it the financial variation on Parkinson's law. > > The next problem is if the NCC was to demutualise it may well have unpleasant consequences. Like speculators buying up shares to take a controlling interest in the company or to swipe the cash reserves as a special dividend. There are obvious parallels with what happened to UK financial organisations that demutualised in the 1980s and 1990s. Carpet-baggers swooped in, raided the reserves and cashed out. > > Another issue is this LLC scheme probably needs a public limited company because its shares would have to be openly traded so anyone can become a shareholder rather than a member as at present. That makes the organisation open to capture. It would also have to act in the best interests of its shareholders. Which might not be the same as the best interests of the current membership or the broader Internet: "we can save tons of costs and get bigger dividends by no longer funding that pesky root server". Public companies have higher burdens for financial reporting and audits too. > > Even if the NCC was to become an LLC, I doubt it would make much difference to fees in the long run. Assuming the membership/shareholders remained stable and the organisation continued along its current path, it's unlikely we'd see much change from the existing financial regime or a broadly break-even annual budget and one year's cash as reserves. > > Still, it would be interesting for someone to do a proper cost/benefit analysis. It wouldn't hurt to question or review establishes wisdom every now and then. From denis at ripe.net Thu Oct 28 14:56:38 2010 From: denis at ripe.net (Denis Walker) Date: Thu, 28 Oct 2010 14:56:38 +0200 Subject: [ncc-services-wg] Outage Report for RIPE Database Updates Message-ID: <4CC97306.5000707@ripe.net> [Apologies for duplicate emails] Dear colleagues, Between approximately 14:10 and 14:40 (UTC) on 27 October 2010, we experienced an outage of the RIPE Database update service. During this period, no updates were processed. It was not possible to access the update service via any of the web-based or synchronous interfaces. Updates sent via email are queued and will be executed later. However, we recommend that users check their acknowledgement reports. We apologise for any inconvenience this may have caused. Regards, Paul Palse Database Group RIPE NCC From arne at ripe.net Thu Oct 28 16:01:54 2010 From: arne at ripe.net (Arne Kiessling) Date: Thu, 28 Oct 2010 16:01:54 +0200 Subject: [ncc-services-wg] New RIPE NCC Procedural Document Available In-Reply-To: <5.1.0.14.2.20101028092029.03663d20@efes.iucc.ac.il> References: <5.1.0.14.2.20100628175858.08875d30@efes.iucc.ac.il> <5.1.0.14.2.20100628175858.08875d30@efes.iucc.ac.il> <5.1.0.14.2.20101028092029.03663d20@efes.iucc.ac.il> Message-ID: <4CC98252.7060303@ripe.net> Dear Hank, thank you for your email. > Has the RIPE NCC set a timeframe for implementing Phase 3? - Phase 2 of the policy implementation is still ongoing and we are receiving the required documentation from LIRs on a daily basis. The RIPE NCC will present more details on the implementation of Phase 3 at RIPE 61. The plan is to start Phase 3 after RIPE 61 and no later than 3 January 2011. Kind regards, Arne Kiessling IP Resource Analyst RIPE NCC Hank Nussbacher wrote: > Phase 3 was published in August 2010: > http://www.ripe.net/news/2007-01-phase3.html > Has the RIPE NCC set a timeframe for implementing Phase 3? > > Regards, > Hank