From randy at psg.com Tue Jan 1 20:40:32 2013 From: randy at psg.com (Randy Bush) Date: Wed, 02 Jan 2013 04:40:32 +0900 Subject: [ncc-services-wg] Fwd: GeekTools Whois Proxy and RIPE/RIPE-NCC In-Reply-To: <50E1E603.5070707@netability.ie> References: <71BEAB45-2AC4-4573-BF20-35B6BAB1B119@centergate.com> <50E1E603.5070707@netability.ie> Message-ID: > This seems odd. I can't seem to find any mention of charging for bulk > whois access in the RIPE NCC AGM or the PDP. the ncc _seems_ to have taken upon itself, with no public mandate or bottom up process, to incrementally make the nic a members only organization. as the nics are here to serve the internet, this is a major change. if the ncc is not here to serve the internet, then we may need to rethink how we handle internet coordination. somemthing smells very broken here. maybe we are just misinformed. randy From gert at space.net Tue Jan 1 20:53:35 2013 From: gert at space.net (Gert Doering) Date: Tue, 1 Jan 2013 20:53:35 +0100 Subject: [ncc-services-wg] Fwd: GeekTools Whois Proxy and RIPE/RIPE-NCC In-Reply-To: References: <71BEAB45-2AC4-4573-BF20-35B6BAB1B119@centergate.com> <50E1E603.5070707@netability.ie> Message-ID: <20130101195335.GA40732@Space.Net> Hi, On Wed, Jan 02, 2013 at 04:40:32AM +0900, Randy Bush wrote: > > This seems odd. I can't seem to find any mention of charging for bulk > > whois access in the RIPE NCC AGM or the PDP. > > the ncc _seems_ to have taken upon itself, with no public mandate or > bottom up process, to incrementally make the nic a members only > organization. as the nics are here to serve the internet, this is a > major change. if the ncc is not here to serve the internet, then we may > need to rethink how we handle internet coordination. > > somemthing smells very broken here. maybe we are just misinformed. Indeed. I can see the wish to simplify the structure by merging all sorts of contracts "users that pay money for NCC services" into a single bin, labeled "paying members" (like dnsmon, etc) - and I would not object to that. RIPE DB NRTM mirrors(!) have been mentioned to fall under that category as well. OTOH, "proxy whois service" usage never had a price tag, so I find it surprising that this would be part of the "everything that has a price tag needs to be a member now" clause... Anyone from the NCC around who is willing to clarify this? thanks, Gert Doering -- hat wrangler -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 From randy at psg.com Tue Jan 1 21:28:20 2013 From: randy at psg.com (Randy Bush) Date: Wed, 02 Jan 2013 05:28:20 +0900 Subject: [ncc-services-wg] Fwd: GeekTools Whois Proxy and RIPE/RIPE-NCC In-Reply-To: <20130101195335.GA40732@Space.Net> References: <71BEAB45-2AC4-4573-BF20-35B6BAB1B119@centergate.com> <50E1E603.5070707@netability.ie> <20130101195335.GA40732@Space.Net> Message-ID: > I can see the wish to simplify the structure by merging all sorts of > contracts "users that pay money for NCC services" into a single bin, > labeled "paying members" (like dnsmon, etc) - and I would not object > to that. RIPE DB NRTM mirrors(!) have been mentioned to fall under > that category as well. /* this is a bit of a $subject drift. but there are some large expensive non-NIC projects which are cross-subsidized and not directly charged. i am not sure about looking into each one and charging for it, as i fear that might lead to micro-management and stunt research. let me use atlas as an example. it is quite expensive. if we want decent atlas coverage in china, japan, thailand, ... (just examples), then atlas use has to be open to non-members. this damned internet thing is global. */ but, as i said, $subject drift. my point was NIC services, ip address management and publication of information about ip address management, not the ncc's research and other non-NIC initiatives. the NICs are here to serve the internet, not some small self-serving community. imiho, restricting information of basic NIC data, ip address information, is counter to the basic social contract of the internet. so, as i said, i suspect we may have some miscommunication here. randy From sander at steffann.nl Tue Jan 1 23:43:21 2013 From: sander at steffann.nl (Sander Steffann) Date: Tue, 1 Jan 2013 23:43:21 +0100 Subject: [ncc-services-wg] GeekTools Whois Proxy and RIPE/RIPE-NCC In-Reply-To: References: <71BEAB45-2AC4-4573-BF20-35B6BAB1B119@centergate.com> <50E1E603.5070707@netability.ie> Message-ID: Hi, >> This seems odd. I can't seem to find any mention of charging for bulk >> whois access in the RIPE NCC AGM or the PDP. > > the ncc _seems_ to have taken upon itself, with no public mandate or > bottom up process, to incrementally make the nic a members only > organization. as the nics are here to serve the internet, this is a > major change. if the ncc is not here to serve the internet, then we may > need to rethink how we handle internet coordination. > > somemthing smells very broken here. maybe we are just misinformed. Yeah, that does sound broken. Let's hope that it is indeed miscommunication. Sander From sander at steffann.nl Wed Jan 2 00:18:21 2013 From: sander at steffann.nl (Sander Steffann) Date: Wed, 2 Jan 2013 00:18:21 +0100 Subject: [ncc-services-wg] GeekTools Whois Proxy and RIPE/RIPE-NCC In-Reply-To: References: <71BEAB45-2AC4-4573-BF20-35B6BAB1B119@centergate.com> <50E1E603.5070707@netability.ie> Message-ID: <3FF61230-E2DA-4600-BC91-C3C3CFE3F0F6@steffann.nl> Hi, >>> This seems odd. I can't seem to find any mention of charging for bulk >>> whois access in the RIPE NCC AGM or the PDP. >> >> the ncc _seems_ to have taken upon itself, with no public mandate or >> bottom up process, to incrementally make the nic a members only >> organization. as the nics are here to serve the internet, this is a >> major change. if the ncc is not here to serve the internet, then we may >> need to rethink how we handle internet coordination. >> >> somemthing smells very broken here. maybe we are just misinformed. > > Yeah, that does sound broken. Let's hope that it is indeed miscommunication. Looking at http://www.ripe.net/ripe/docs/ripe-558 (the activity plan for 2013) the RIPE Database Proxy Service is indeed listed as a member-only service, and the members approved of that activity plan. So the NCC and the NCC board can't be blamed for this. The members (and yes: that includes me) should be careful what they vote for... IMHO the proxy service should have never been included in the member-only-services list, and I suspect that many members didn't realize the impact of approving this change in the activity plane. Another point is whether the NCC members are the ones to decide such a change. It is their money that funds the RIPE NCC whois service, but it is not their data... - Sander From job.snijders at atrato-ip.com Wed Jan 2 00:28:45 2013 From: job.snijders at atrato-ip.com (Job Snijders) Date: Wed, 2 Jan 2013 00:28:45 +0100 Subject: [ncc-services-wg] GeekTools Whois Proxy and RIPE/RIPE-NCC In-Reply-To: <3FF61230-E2DA-4600-BC91-C3C3CFE3F0F6@steffann.nl> References: <71BEAB45-2AC4-4573-BF20-35B6BAB1B119@centergate.com> <50E1E603.5070707@netability.ie> <3FF61230-E2DA-4600-BC91-C3C3CFE3F0F6@steffann.nl> Message-ID: <42715C6A-FEDB-4A25-A363-770A04EF8568@atrato-ip.com> Hi, On Jan 2, 2013, at 12:18 AM, Sander Steffann wrote: > IMHO the proxy service should have never been included in the member-only-services list, and I suspect that many members didn't realize the impact of approving this change in the activity plane. ` I don't recall approving this change. In the draft [1] published in August 2012 also no mention of making the Proxy Service "members only". Kind regards, Job [1] http://www.ripe.net/lir-services/ncc/gm/september-2012/documents/draft-ripe-ncc-activity-plan-and-budget-2013 From sander at steffann.nl Wed Jan 2 10:21:32 2013 From: sander at steffann.nl (Sander Steffann) Date: Wed, 2 Jan 2013 10:21:32 +0100 Subject: [ncc-services-wg] GeekTools Whois Proxy and RIPE/RIPE-NCC In-Reply-To: <42715C6A-FEDB-4A25-A363-770A04EF8568@atrato-ip.com> References: <71BEAB45-2AC4-4573-BF20-35B6BAB1B119@centergate.com> <50E1E603.5070707@netability.ie> <3FF61230-E2DA-4600-BC91-C3C3CFE3F0F6@steffann.nl> <42715C6A-FEDB-4A25-A363-770A04EF8568@atrato-ip.com> Message-ID: <42C6225D-8893-477F-95A6-9219AD349795@steffann.nl> Hi Job, I looked a bit further and you are right. The activity plan as documented in http://www.ripe.net/ripe/docs/ripe-558 is *not* the same as the one that the members voted on which was announced (http://www.ripe.net/ripe/mail/archives/ncc-announce/2012-September/000612.html) and published at http://www.ripe.net/lir-services/ncc/gm/september-2012/documents/draft-ripe-ncc-activity-plan-and-budget-2013. Appendix 1, which lists the proxy service as member-only, has been inserted *after* the members voted on it. This is so very wrong and totally unacceptable. Now I really demand an explanation from the board! Met vriendelijke groet, Sander Steffann Op 2 jan. 2013 om 00:28 heeft Job Snijders het volgende geschreven: > Hi, > > On Jan 2, 2013, at 12:18 AM, Sander Steffann wrote: > >> IMHO the proxy service should have never been included in the member-only-services list, and I suspect that many members didn't realize the impact of approving this change in the activity plane. > ` > I don't recall approving this change. In the draft [1] published in August 2012 also no mention of making the Proxy Service "members only". > > Kind regards, > > Job > > [1] http://www.ripe.net/lir-services/ncc/gm/september-2012/documents/draft-ripe-ncc-activity-plan-and-budget-2013 -------------- next part -------------- An HTML attachment was scrubbed... URL: From matthias.cramer at iway.ch Wed Jan 2 10:26:17 2013 From: matthias.cramer at iway.ch (Matthias Cramer) Date: Wed, 02 Jan 2013 10:26:17 +0100 Subject: [ncc-services-wg] GeekTools Whois Proxy and RIPE/RIPE-NCC In-Reply-To: <42C6225D-8893-477F-95A6-9219AD349795@steffann.nl> References: <71BEAB45-2AC4-4573-BF20-35B6BAB1B119@centergate.com> <50E1E603.5070707@netability.ie> <3FF61230-E2DA-4600-BC91-C3C3CFE3F0F6@steffann.nl> <42715C6A-FEDB-4A25-A363-770A04EF8568@atrato-ip.com> <42C6225D-8893-477F-95A6-9219AD349795@steffann.nl> Message-ID: <50E3FD39.1090501@iway.ch> Hi All I like to have an explanation too. As I also work for SwissIX (a non for profit Exchange in Switzerland) and we have tried to get a DB mirror to build filters against. Regards Matthias On 02/01/13 10:21, Sander Steffann wrote: > Hi Job, > > I looked a bit further and you are right. The activity plan as documented in http://www.ripe.net/ripe/docs/ripe-558 is *not* the same as the one that the members voted on which was announced > (http://www.ripe.net/ripe/mail/archives/ncc-announce/2012-September/000612.html) and published > at http://www.ripe.net/lir-services/ncc/gm/september-2012/documents/draft-ripe-ncc-activity-plan-and-budget-2013. Appendix 1, which lists the proxy service as member-only, has been inserted *after* > the members voted on it. > > This is so very wrong and totally unacceptable. Now I really demand an explanation from the board! > > Met vriendelijke groet, > Sander Steffann > > Op 2 jan. 2013 om 00:28 heeft Job Snijders > het volgende geschreven: > >> Hi, >> >> On Jan 2, 2013, at 12:18 AM, Sander Steffann > wrote: >> >>> IMHO the proxy service should have never been included in the member-only-services list, and I suspect that many members didn't realize the impact of approving this change in the activity plane. >> ` >> I don't recall approving this change. In the draft [1] published in August 2012 also no mention of making the Proxy Service "members only". >> >> Kind regards, >> >> Job >> >> [1] http://www.ripe.net/lir-services/ncc/gm/september-2012/documents/draft-ripe-ncc-activity-plan-and-budget-2013 -- Matthias Cramer / mc322-ripe Senior Network & Security Engineer iway AG Phone +41 43 500 1111 Badenerstrasse 569 Fax +41 44 271 3535 CH-8048 Zurich http://www.iway.ch/ GnuPG 1024D/2D208250 = DBC6 65B6 7083 1029 781E 3959 B62F DF1C 2D20 8250 From gert at space.net Wed Jan 2 12:13:22 2013 From: gert at space.net (Gert Doering) Date: Wed, 2 Jan 2013 12:13:22 +0100 Subject: [ncc-services-wg] GeekTools Whois Proxy and RIPE/RIPE-NCC In-Reply-To: <42C6225D-8893-477F-95A6-9219AD349795@steffann.nl> References: <71BEAB45-2AC4-4573-BF20-35B6BAB1B119@centergate.com> <50E1E603.5070707@netability.ie> <3FF61230-E2DA-4600-BC91-C3C3CFE3F0F6@steffann.nl> <42715C6A-FEDB-4A25-A363-770A04EF8568@atrato-ip.com> <42C6225D-8893-477F-95A6-9219AD349795@steffann.nl> Message-ID: <20130102111322.GF40732@Space.Net> Hi, On Wed, Jan 02, 2013 at 10:21:32AM +0100, Sander Steffann wrote: > This is so very wrong and totally unacceptable. Now I really demand an explanation from the board! +1 Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 From gert at space.net Wed Jan 2 12:17:11 2013 From: gert at space.net (Gert Doering) Date: Wed, 2 Jan 2013 12:17:11 +0100 Subject: [ncc-services-wg] GeekTools Whois Proxy and RIPE/RIPE-NCC In-Reply-To: <50E3FD39.1090501@iway.ch> References: <71BEAB45-2AC4-4573-BF20-35B6BAB1B119@centergate.com> <50E1E603.5070707@netability.ie> <3FF61230-E2DA-4600-BC91-C3C3CFE3F0F6@steffann.nl> <42715C6A-FEDB-4A25-A363-770A04EF8568@atrato-ip.com> <42C6225D-8893-477F-95A6-9219AD349795@steffann.nl> <50E3FD39.1090501@iway.ch> Message-ID: <20130102111711.GG40732@Space.Net> Hi, On Wed, Jan 02, 2013 at 10:26:17AM +0100, Matthias Cramer wrote: > I like to have an explanation too. As I also work for SwissIX (a non for profit Exchange in Switzerland) and we have tried to get a DB mirror to build filters against. DB *mirrors* have been in the list of now-members-only services all the time - they have been costing money for a long time, this is just shifting to the new contract model now. (From a technical pov, all other exchanges manage to build their filters without a local mirror, so maybe that decision needs some thinking :-) ) Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 From ripencc-management at ripe.net Wed Jan 2 16:57:01 2013 From: ripencc-management at ripe.net (Axel Pawlik) Date: Wed, 02 Jan 2013 16:57:01 +0100 Subject: [ncc-services-wg] RIPE Database Proxy Service Issues Message-ID: <50E458CD.8030604@ripe.net> [Apologies for duplicate emails] Dear colleagues, There has been discussion on various mailing lists regarding the status of the RIPE Database Proxy Service. Before I address the issues that arose, I'd like to give you some background information on the service itself that may help with the discussions. Technical Background -------------------- To prevent the automatic harvesting of personal information (real names, email addresses, phone numbers) from the RIPE Database, there are PERSON and ROLE object query limits defined in the RIPE Database Acceptable Use Policy. This is set at 1,000 PERSON or ROLE objects per IP address per day. Queries that result in more than 1,000 objects with personal data being returned result in that IP address being blocked from carrying out queries for that day. Users of the RIPE Database have unlimited access to Network Information Centre (NIC)-related objects. They can use the -r flag in order to filter out personal objects and query NIC objects without any limitations. The RIPE Database Proxy Service allows websites to provide a third party interface to the RIPE Database. Without the proxy service, the third parties would quickly run into the limits set on RIPE Database queries. With the proxy service, we whitelist the third party IP address and ask them to pass their user's IP address to us, so limits are only set on the user's IP address, not the third party's. There is no technical way to ensure that the user IP addresses passed to us by the third party are valid. Potentially, third party users of the proxy service could harvest all personal data in the RIPE Database (approximately 2 million objects) in a matter of hours. To ensure that the RIPE NCC's Terms and Conditions are followed, we require a contract between the third party and the RIPE NCC. Users of the Proxy Service -------------------------- In the past ten years, the RIPE NCC has had 31 requests for the proxy service and over the past year, there have been only four active users of the service. Of these four, one is already a RIPE NCC member. NIC Information --------------- All NIC information is still available without access to the proxy service. In the normal presentation of whois data, there is a redirect system that allows users with a normal whois client to deal directly with the RIPE Database whois service. There is no need for a proxy service in this scenario. The proxy service is only necessary if the data needs to be presented in alternative forms, such as on a third party's website. The limits imposed on RIPE Database queries only apply to personal data. Users can always access NIC data in any form they like if they are happy not to receive personal data. On 6 March 2012, the RIPE NCC proposed to change the default behaviour of the query system to instead return only "ALLOWED" results if a user had reached their daily personal data query limit, but there was disagreement over this on the mailing list so the change was not implemented. The proposal is available at: http://www.ripe.net/ripe/mail/archives/db-wg/2012-March/003885.html Legal Considerations -------------------- The RIPE NCC operates under European Data Protection laws, so to avoid risk in this area we insist on having a contract with third parties who wish to use the proxy service. The RIPE NCC and its Executive Board believes that the proxy service should become a member service because it tightens the contractual relationship between the RIPE NCC and third parties. Currently, no such agreement that meets the EU Data Protection legislation is in place between the RIPE NCC and the proxy service users. In order to tighten the contractual relationship between the RIPE NCC and the Proxy service users, taking into account the recent approval of the Charging Scheme 2013 that caused a simplification of the contractual agreements between the RIPE NCC and its service users, the RIPE NCC offered to conclude the membership agreement for continuation of the service. Next Steps? ------------ The Executive Board approved changes to the draft version of the Activity Plan and Budget 2013, and the RIPE NCC published the final version on 13 December 2012: http://www.ripe.net/internet-coordination/news/announcements/ripe-ncc-activity-plan-and-budget-2013 We do apologise, however, that the changes regarding the proxy service were not more explicitly communicated to the members and the RIPE community in advance of the final publication of the Activity Plan. The RIPE NCC asks that non-RIPE NCC member proxy service users become members but we propose to waive their membership fee until the discussion of the RIPE NCC Charging Scheme 2014 takes place. This will give the membership and community the opportunity to discuss the best way forward for the proxy service in the coming months while ensuring a strong contractual bond between the RIPE NCC and users of this service. In the meantime, there will be no changes to the proxy service and no loss of functionality for the community. The RIPE NCC and its Executive Board will return to its members with proposals for ways to ensure that their wishes are met with regard to service developments while allowing the RIPE NCC to be operate efficiently and responsively. If you have any comments on this issue, please direct them to this mailing list. Best regards, Axel Pawlik Managing Director RIPE NCC From roland at internetpolicyagency.com Wed Jan 2 18:09:34 2013 From: roland at internetpolicyagency.com (Roland Perry) Date: Wed, 2 Jan 2013 17:09:34 +0000 Subject: [ncc-services-wg] Fwd: GeekTools Whois Proxy and RIPE/RIPE-NCC In-Reply-To: <50E1E603.5070707@netability.ie> References: <71BEAB45-2AC4-4573-BF20-35B6BAB1B119@centergate.com> <50E1E603.5070707@netability.ie> Message-ID: In message <50E1E603.5070707 at netability.ie>, at 19:22:43 on Mon, 31 Dec 2012, Nick Hilliard writes >I wanted to let you know that as of midnight tonight, apparently, you >won't be able to use GeekTools for RIPE related queries. If you have >automated scripts, and you are one of the users who has expanded access >to GeekTools, you'll need to find an alternative for RIPE queries >*today*. It seems to be still working today, but maybe it's still the holiday season in Amsterdam and they haven't "thrown the switch" yet. >My guess is that you will be able to query RIPE directly, once you have >worked out that the address space is within RIPE's assignments. I always use LACNIC's whois, which integrates all the RIRs. Is that another proxy service that will either have to pay up or switch off? (Noting the possibility that this is all a miscommunication). Or perhaps Geektools could use LACNIC for all RIR lookups. -- Roland Perry From nick at netability.ie Wed Jan 2 23:38:27 2013 From: nick at netability.ie (Nick Hilliard) Date: Wed, 02 Jan 2013 22:38:27 +0000 Subject: [ncc-services-wg] RIPE Database Proxy Service Issues In-Reply-To: <50E458CD.8030604@ripe.net> References: <50E458CD.8030604@ripe.net> Message-ID: <50E4B6E3.9060305@netability.ie> On 02/01/2013 15:57, Axel Pawlik wrote: > RIPE NCC offered to conclude the membership agreement for continuation > of the service. [...] > The RIPE NCC asks that non-RIPE NCC member proxy service users become > members but we propose to waive their membership fee until the discussion > of the RIPE NCC Charging Scheme 2014 takes place. Axel, Thanks for your prompt reply and for providing an explanation of this decision. I have no objection to requesting a contract for access to bulk data access provided by the RIPE NCC. I do, however, have a problem with: - the general concept of requiring RIPE NCC membership for services which were previously available on a free-as-in-beer basis. - executive decisions being made which have a significant impact on the RIPE community, and which are made without consultation with either the RIPE NCC membership or the RIPE community. The decision by the RIPE NCC board to require RIPE NCC membership for proxy database access is not based on either a RIPE community or a RIPE NCC membership mandate, and I'm surprised to find out about this decision on nanog-l. Can you please roll back this decision until we've had some sensible debate on the matter, thanks, Nick -- Network Ability Ltd. ie.netability From job.snijders at atrato-ip.com Wed Jan 2 23:45:31 2013 From: job.snijders at atrato-ip.com (Job Snijders) Date: Wed, 2 Jan 2013 23:45:31 +0100 Subject: [ncc-services-wg] RIPE Database Proxy Service Issues In-Reply-To: <50E4B6E3.9060305@netability.ie> References: <50E458CD.8030604@ripe.net> <50E4B6E3.9060305@netability.ie> Message-ID: <0F5BE951-F831-447B-A6B9-3A9B4735AB04@atrato-ip.com> Hi Nick, On Jan 2, 2013, at 11:38 PM, Nick Hilliard wrote: > Can you please roll back this decision until we've had some > sensible debate on the matter, Alex did email us "In the meantime, there will be no changes to the proxy service and no loss of functionality for the community." Rodney Joffe from geektools confirmed that the service did not go down on first of January 2013 and still is functional today, same as it was 31th of December 2012. It seems to me that the deadlines have been removed for now and the playing ground has been set up so that we can engage in proper discussion. Kind regards, Job From nick at netability.ie Thu Jan 3 00:15:54 2013 From: nick at netability.ie (Nick Hilliard) Date: Wed, 02 Jan 2013 23:15:54 +0000 Subject: [ncc-services-wg] RIPE Database Proxy Service Issues In-Reply-To: <0F5BE951-F831-447B-A6B9-3A9B4735AB04@atrato-ip.com> References: <50E458CD.8030604@ripe.net> <50E4B6E3.9060305@netability.ie> <0F5BE951-F831-447B-A6B9-3A9B4735AB04@atrato-ip.com> Message-ID: <50E4BFAA.8040204@netability.ie> On 02/01/2013 22:45, Job Snijders wrote: > It seems to me that the deadlines have been removed for now and the > playing ground has been set up so that we can engage in proper discussion. The demand for RIPE NCC membership (with waived fees for at least 9 months) still stands. I think it inappropriate for this demand to remain until the issue is resolved with the ripe community / ripe ncc membership. Nick From m.hallgren at free.fr Thu Jan 3 00:58:26 2013 From: m.hallgren at free.fr (Michael Hallgren) Date: Thu, 03 Jan 2013 00:58:26 +0100 Subject: [ncc-services-wg] RIPE Database Proxy Service Issues In-Reply-To: <50E4BFAA.8040204@netability.ie> References: <50E458CD.8030604@ripe.net> <50E4B6E3.9060305@netability.ie> <0F5BE951-F831-447B-A6B9-3A9B4735AB04@atrato-ip.com> <50E4BFAA.8040204@netability.ie> Message-ID: <50E4C9A2.1060405@free.fr> Le 03/01/2013 00:15, Nick Hilliard a ?crit : > On 02/01/2013 22:45, Job Snijders wrote: >> It seems to me that the deadlines have been removed for now and the >> playing ground has been set up so that we can engage in proper discussion. > The demand for RIPE NCC membership (with waived fees for at least 9 months) > still stands. I think it inappropriate for this demand to remain until the > issue is resolved with the ripe community / ripe ncc membership. > > Nick > > Yes, and would have seemed much preferred to take the case transparently to the community in the first place. (Let's use it as a classroom example for the future.) Cheers mh From sander at steffann.nl Thu Jan 3 08:38:32 2013 From: sander at steffann.nl (Sander Steffann) Date: Thu, 3 Jan 2013 08:38:32 +0100 Subject: [ncc-services-wg] RIPE Database Proxy Service Issues In-Reply-To: <50E4BFAA.8040204@netability.ie> References: <50E458CD.8030604@ripe.net> <50E4B6E3.9060305@netability.ie> <0F5BE951-F831-447B-A6B9-3A9B4735AB04@atrato-ip.com> <50E4BFAA.8040204@netability.ie> Message-ID: Hi, > The demand for RIPE NCC membership (with waived fees for at least 9 months) > still stands. I think it inappropriate for this demand to remain until the > issue is resolved with the ripe community / ripe ncc membership. Very big +1 Sander From andrey at trifle.net Wed Jan 2 19:43:33 2013 From: andrey at trifle.net (Andrey Semenchuk) Date: Wed, 02 Jan 2013 20:43:33 +0200 Subject: [ncc-services-wg] RIPE Database Proxy Service Issues In-Reply-To: <50E458CD.8030604@ripe.net> References: <50E458CD.8030604@ripe.net> Message-ID: <50E47FD5.4000008@trifle.net> Hello, Sorry, but the main question in this discussion seems to be wrong. What kind of goal we're trying to reach? To protect personal data from being processed not in that way or purpose they were collected by the RIPE? - but RIPE can't guaranty that the third parties will process data for the legal way or purpose. It will not be guarantied nor by direct access to RIPE's database nor by access via proxy service. The main question we should answer: why personal data are stored in RIPE database? There're two answers on this this question: 1. The only goal ot this data is to provide information to the RIPE ======================================= In this case all personal data should not be visible to any other parties 2. Data must provide contact information to any parties to be able to communicate with the person who described by the personal data object ============================================================================== In this case personal data provided and processed in the same way and purpose that they were collected and no restrictions should be used Axel, I'd like to pay your attention that RIPE (or any other organisation or individual) can: - protect personal data - do not protect personal data That's all. There's no third option As soon we speaking that the limitation of the FREE access to personal data is the means of the personal data protection - we're deceiving ourself. We DO NOT protect personal data. Also, I'd like to pay your attention that /64 IPv6 block should be provided to any End Site (according to ripe-538). So. if the RIPE database contains 2,000,000 ot records - the /64 allocation is enought to get all personal data from the database in a one hour for many-many-many times and it will avoid any RIPE limitations. So, in case of IPv6 access no limitations will work All the RIPE should provide - is the limited access to personal data (but not in the way it was prosed). All data should be stored in RIPE database. And any person should have a choice: to provide free access to this personal data or not. If the End User does not allow to provide free access to his/her personal data - the only one information should be displayed - is the phone (the phone number is not the personal information). It will provide acceptable level of direct communication to the personnel of the resource holder organization (for this type of communication the name of person is not required because it's not the private call and this call maked to "any person who can and may help with the issue"). Nor person's address nor person's name should be provided. Email address should be provided in output from the RIPE database but not the person's email address but the RIPE's robot email address with unique and autogenerated key that provide information to the robot to identify the person and forward email to his/her. Any parties can send email to the person from the RIPE database and this letter will be delivered by the RIPE robot (and robot will resend this letter to the correct recipient) - in this case the initial communication between third parties and the person from RIPE database contains no private information -- Best wishes, Andrey Semenchuk Trifle Internet Service Provider (056) 731-99-11 www.trifle.net From randy at psg.com Thu Jan 3 09:08:16 2013 From: randy at psg.com (Randy Bush) Date: Thu, 03 Jan 2013 17:08:16 +0900 Subject: [ncc-services-wg] RIPE Database Proxy Service Issues In-Reply-To: <50E4BFAA.8040204@netability.ie> References: <50E458CD.8030604@ripe.net> <50E4B6E3.9060305@netability.ie> <0F5BE951-F831-447B-A6B9-3A9B4735AB04@atrato-ip.com> <50E4BFAA.8040204@netability.ie> Message-ID: as i am not a european or a ripe member, i generally try not to make non-tecnical comments on ncc policy. but, in this case, i am employed by a current user of this service. >> It seems to me that the deadlines have been removed for now and the >> playing ground has been set up so that we can engage in proper >> discussion. > The demand for RIPE NCC membership (with waived fees for at least 9 > months) still stands. I think it inappropriate for this demand to > remain until the issue is resolved with the ripe community / ripe ncc > membership. imiho, there are at least two issues. first is the one you address, that the game was changed after the members' approval, that is a violation of trust, and should be completely revoked, not just pushed ahead with a cost suspension. the second is the contractual issue. i understand the ncc feeling it needs a contractual relationship with bulk data users. this is needed to ensure respect for the data. the confusion here is that this need not be the membership contract. in fact, i wonder if (i confess to not checking) the membership agreement protects the bulk data. randy From jim at rfc1035.com Thu Jan 3 11:10:17 2013 From: jim at rfc1035.com (Jim Reid) Date: Thu, 3 Jan 2013 10:10:17 +0000 Subject: [ncc-services-wg] Personal Data and Database Proxy services In-Reply-To: <50E47FD5.4000008@trifle.net> References: <50E458CD.8030604@ripe.net> <50E47FD5.4000008@trifle.net> Message-ID: <9AE4C3F8-B0E0-4570-9A31-A9CF78710BD8@rfc1035.com> On 2 Jan 2013, at 18:43, Andrey Semenchuk wrote: > the phone number is not the personal information Sorry Andrey, it is. In the context of EU Data Protection legislation, ANY data identifying a Living Person is Personal Data. So things like (throwaway) email addresses, phone numbers, IM handles, URLs for someone's Facebook pages and so on are covered by the same Data Protection principles that would apply to a social security number, passport details or postal address. BTW, Europe's Data Protection Authorities can have different perspectives on what is and isn't acceptable even though the national Data Protection legislation in each EU country is underpinned by the same EU directives. Whatever works in one jurisdiction might not be allowed in another. Or vice versa. So unless you're based in the Netherlands please don't assume that whatever your DPA tells you (if you have one) is the same as the Dutch one tells the NCC. > What kind of goal we're trying to reach? To protect personal data from being processed not in that way or purpose they were collected by the RIPE? - but RIPE can't guaranty that the third parties will process data for the legal way or purpose. This is precisely the problem. RIPE NCC is the Data Controller. It *has* to have a contractual relationship with any Data Processors (like a proxy service provider). The same Data Protection regime used by the Data Controller has to apply to any downstream Data Processors. The NCC can't just hand over the Personal Data in its databases and let anyone do whatever they want with that data. The matter at hand is the nature of the contractual relationship with these third parties. There's some confusion about that and how best to proceed. Clearly we need to arrive at a consensus. This will presumably involve production of a policy about third party access to the NCC database(s) or fixing whatever's broken in the current policy. To my mind there are essentially three options to choose from. All three will mean the third parties sign something that conforms with the NCC's EU/NL Data Protection obligations. 1) Provide third party access at no charge as a general public benefit. 2) Provide third party access for a fee which might (or might not) cover the NCC's costs for providing that service. 3) Restrict third party access to NCC members only. FWIW I can see advantages and disadvantages to all of these. I favour a fourth option: terminate all third party access and provide no bulk export from the database at all. That one's unlikely to be popular so I didn't suggest it. From lists-ripe at c4inet.net Thu Jan 3 11:47:35 2013 From: lists-ripe at c4inet.net (Sascha Luck) Date: Thu, 3 Jan 2013 10:47:35 +0000 Subject: [ncc-services-wg] Personal Data and Database Proxy services In-Reply-To: <9AE4C3F8-B0E0-4570-9A31-A9CF78710BD8@rfc1035.com> References: <50E458CD.8030604@ripe.net> <50E47FD5.4000008@trifle.net> <9AE4C3F8-B0E0-4570-9A31-A9CF78710BD8@rfc1035.com> Message-ID: <20130103104735.GA53287@cilantro.c4inet.net> On Thu, Jan 03, 2013 at 10:10:17AM +0000, Jim Reid wrote: >I favour a fourth option: terminate all third party access and provide >no bulk export from the database at all. That one's unlikely to be >popular so I didn't suggest it. a fifth option, assuming it is technically feasible: provide all non-identifying data FOC to anyone but restrict all access (bulk or otherwise) to personal data (presumably person: and maybe role: objects) to members or under contract. Contracts to contain language restricting the purposes for which this data can be used and strict penalties for mis-use. Regards, Sascha Luck From teun at bit.nl Thu Jan 3 12:00:31 2013 From: teun at bit.nl (Teun Vink) Date: Thu, 03 Jan 2013 12:00:31 +0100 Subject: [ncc-services-wg] RIPE Database Proxy Service Issues In-Reply-To: <50E458CD.8030604@ripe.net> References: <50E458CD.8030604@ripe.net> Message-ID: <1357210831.23125.19.camel@moridin> On Wed, 2013-01-02 at 16:57 +0100, Axel Pawlik wrote: [...] > In the meantime, there will be no changes to the proxy service and no > loss of functionality for the community. > > The RIPE NCC and its Executive Board will return to its members with > proposals for ways to ensure that their wishes are met with regard to > service developments while allowing the RIPE NCC to be operate > efficiently and responsively. Hello Axel, Thank you for the clarification. In addition to points already addressed by others I have another remark and question: RIPE NCC sent me the contracts on December 17th stating they had to be signed and returned before the 31th. It amazes me that RIPE NCC sent these out just before the holidays, making it impossible for us (and I think many others) to have these documents reviewed by the right people and returned in time. Now that we've had time to review the document and that I've read your email I'm wondering if I still need to sign and return these documents. Could you please elaborate? Best regards, -- Teun Vink, Network Engineer BIT BV | teun at bit.nl | +31 318 648 688 KvK: 09090351 | GPG: 0x5A04F4E2 | RIPE: TEUN-RIPE -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From andrey at trifle.net Thu Jan 3 12:53:27 2013 From: andrey at trifle.net (Andrey Semenchuk) Date: Thu, 03 Jan 2013 13:53:27 +0200 Subject: [ncc-services-wg] Personal Data and Database Proxy services In-Reply-To: <9AE4C3F8-B0E0-4570-9A31-A9CF78710BD8@rfc1035.com> References: <50E458CD.8030604@ripe.net> <50E47FD5.4000008@trifle.net> <9AE4C3F8-B0E0-4570-9A31-A9CF78710BD8@rfc1035.com> Message-ID: <50E57137.5030608@trifle.net> Jim Reid wrote: > On 2 Jan 2013, at 18:43, Andrey Semenchuk wrote: > >> the phone number is not the personal information > Sorry Andrey, it is. > > In the context of EU Data Protection legislation, ANY data identifying a Living Person is Personal Data. "Person" object intended to identify employer of the organisation that holds objects in the RIPE database (aut-num, domain, inet-num, etc). In this case the phone int person object is not the personal phone but the phone provided by employer. It's the service phone that should not indentify the person. If someone puts there his/her private phone - it's not the RIPE database problem - maybe this person consider it's private life (or part ot it) as an public information. In any case this phone publication - is the decision of the person and RIPE (even if this information is public and has none limitations of access) provides access to the data in compliance with the person's intentions, If we wants to make data protection safer - ok, let's strip phone information from the database output of the person object. In this case only organisation objects will contains phones. >> What kind of goal we're trying to reach? To protect personal data from being processed not in that way or purpose they were collected by the RIPE? - but RIPE can't guaranty that the third parties will process data for the legal way or purpose. >> > > This is precisely the problem. RIPE NCC is the Data Controller. It *has* to have a contractual relationship with any Data Processors (like a proxy service provider). The same Data Protection regime used by the Data Controller has to apply to any downstream Data Processors. The NCC can't just hand over the Personal Data in its databases and let anyone do whatever they want with that data. > Is there any chance to identify Data Processor systems? Not the person who queries RIPE database search but any type of Data Processor system? It's not. Any data processor system can make a single request from IP address in a day (in IPv6 address space it's not a problem) and none system will tell this data processor system from the user who queries the database The current question with data protection exists because the database provide personal data. And all we should do - is to cut personal data from the output. Personal information from the RIPE database (even if it is there) does not required to solve any situation between the Internet user (or organisation) and any resource holder - all communication will be done on "user (who initiate communication) -- organisation (resource holder)" or "organisation (that initiate communication) -- organisation (resource holder)". That's all > The matter at hand is the nature of the contractual relationship with these third parties. There's some confusion about that and how best to proceed. Clearly we need to arrive at a consensus. This will presumably involve production of a policy about third party access to the NCC database(s) or fixing whatever's broken in the current policy. As soon we provide access to personal data that are stored (or may be stored) in RIPE database on any basis - the first question should be not about relations between RIPE and third parties that may collect and process that data. The first question should be: is every person who stores personal data in the RIPE database agrees with this situation and allow to collect/process his/her data by any organisation except RIPE? If the person wished to provide free access to his/her personal data - RIPE should provide this access without any limitation. All data protection RIPE should provide - is a storage protection. If the person wishes to provide this information to RIPE only - no personal data should be displayed to any other third party. It's so simple! We're trying to answer to question that is not the main question by itself. The main question is: provide or do not provide personal information to third parties? -- Best wishes, Andrey Semenchuk Trifle Internet Service Provider (056) 731-99-11 www.trifle.net From lists-ripe at c4inet.net Thu Jan 3 13:58:30 2013 From: lists-ripe at c4inet.net (Sascha Luck) Date: Thu, 3 Jan 2013 12:58:30 +0000 Subject: [ncc-services-wg] Personal Data and Database Proxy services In-Reply-To: <50E57137.5030608@trifle.net> References: <50E458CD.8030604@ripe.net> <50E47FD5.4000008@trifle.net> <9AE4C3F8-B0E0-4570-9A31-A9CF78710BD8@rfc1035.com> <50E57137.5030608@trifle.net> Message-ID: <20130103125830.GA53665@cilantro.c4inet.net> On Thu, Jan 03, 2013 at 01:53:27PM +0200, Andrey Semenchuk wrote: >"Person" object intended to identify employer of the organisation >that holds objects in the RIPE database (aut-num, domain, inet-num, >etc). In this case the phone int person object is not the personal >phone but the phone provided by employer. It's the service phone that >should not indentify the person. If someone puts there his/her >private phone - it's not the RIPE database problem - maybe this >person consider it's private life (or part ot it) as an public >information. In any case this phone publication - is the decision of >the person and RIPE (even if this information is public and has none >limitations of access) provides access to the data in compliance with >the person's intentions, Individuals hold IP space and other resources. Actually, in that case, even the organisation: object must be considered personal data as it usually even contains physical address information. >If the person wished to provide free access to his/her personal data >- RIPE should provide this access without any limitation. All data >protection RIPE should provide - is a storage protection. If the >person wishes to provide this information to RIPE only - no personal >data should be displayed to any other third party. It's so simple! That leaves the issue of masking this data from whois - no idea whether this is technically even possible. Regards, Sascha Luck From andrey at trifle.net Thu Jan 3 14:20:15 2013 From: andrey at trifle.net (Andrey Semenchuk) Date: Thu, 03 Jan 2013 15:20:15 +0200 Subject: [ncc-services-wg] Personal Data and Database Proxy services In-Reply-To: <20130103125830.GA53665@cilantro.c4inet.net> References: <50E458CD.8030604@ripe.net> <50E47FD5.4000008@trifle.net> <9AE4C3F8-B0E0-4570-9A31-A9CF78710BD8@rfc1035.com> <50E57137.5030608@trifle.net> <20130103125830.GA53665@cilantro.c4inet.net> Message-ID: <50E5858F.5020405@trifle.net> Sascha Luck wrote: > Actually, in that case, > even the organisation: object must be considered personal data as it > usually even contains physical address information. Organisation is not the person "'personal data' shall mean any information relating to an identified or identifiable natural person" (q) Directive 95/46/EC of the European Parliament and of the Council >> If the person wished to provide free access to his/her personal data >> - RIPE should provide this access without any limitation. All data >> protection RIPE should provide - is a storage protection. If the >> person wishes to provide this information to RIPE only - no personal >> data should be displayed to any other third party. It's so simple! > > That leaves the issue of masking this data from whois - no idea whether > this is technically even possible. Technically, specifying the data that should be provided and the data that shouldn't - it's even not a question for discussion "is it possible or not". Of course it's possible. It's not the subject of heuristic analysis of the arbitrary data - all the information stored inside the database (whatever type of database that is used) and specifying the criteria for displaying (or masking) data it not the question of possibility - it's the question of realization -- Best wishes, Andrey Semenchuk Trifle Internet Service Provider (056) 731-99-11 www.trifle.net From lists-ripe at c4inet.net Thu Jan 3 14:45:38 2013 From: lists-ripe at c4inet.net (Sascha Luck) Date: Thu, 3 Jan 2013 13:45:38 +0000 Subject: [ncc-services-wg] Personal Data and Database Proxy services In-Reply-To: <50E5858F.5020405@trifle.net> References: <50E458CD.8030604@ripe.net> <50E47FD5.4000008@trifle.net> <9AE4C3F8-B0E0-4570-9A31-A9CF78710BD8@rfc1035.com> <50E57137.5030608@trifle.net> <20130103125830.GA53665@cilantro.c4inet.net> <50E5858F.5020405@trifle.net> Message-ID: <20130103134538.GA53810@cilantro.c4inet.net> On Thu, Jan 03, 2013 at 03:20:15PM +0200, Andrey Semenchuk wrote: >Organisation is not the person > >"'personal data' shall mean any information relating to an identified >or identifiable natural person" (q) Directive 95/46/EC of the >European Parliament and of the Council Yes. If a natural person holds internet resources, the organisation: object is that person. I'm assuming you don't intend to ban natural persons from holding resources (and thereby requiring an organisation: object)? Regards, Sascha Luck From shane at time-travellers.org Thu Jan 3 14:13:33 2013 From: shane at time-travellers.org (Shane Kerr) Date: Thu, 3 Jan 2013 14:13:33 +0100 Subject: [ncc-services-wg] RIPE NCC as communication go-between, was RIPE Database Proxy Service Issues In-Reply-To: <50E47FD5.4000008@trifle.net> References: <50E458CD.8030604@ripe.net> <50E47FD5.4000008@trifle.net> Message-ID: <20130103141333.0c14eb49@shane-desktop> Andrey, On Wednesday, 2013-01-02 20:43:33 +0200, Andrey Semenchuk wrote: > > 2. Data must provide contact information to any parties to be able to > communicate with the person who described by the personal data object > ============================================================================== > In this case personal data provided and processed in the same way and > purpose that they were collected and no restrictions should be used An alternate approach would be for the RIPE NCC to act as a go-between for communicating with resource holders. For example, if I know which hotel you are staying at, I can call the hotel and ask them to put me through to your room so I can talk to you, or I can leave a message. The hotel should not give me your room number, or any other information about you that they know. Likewise the RIPE NCC could convey messages to resource holders. In such a system we would not have to publish ANY private information. Cheers, -- Shane From andrey at trifle.net Thu Jan 3 14:48:48 2013 From: andrey at trifle.net (Andrey Semenchuk) Date: Thu, 03 Jan 2013 15:48:48 +0200 Subject: [ncc-services-wg] Personal Data and Database Proxy services In-Reply-To: <20130103134538.GA53810@cilantro.c4inet.net> References: <50E458CD.8030604@ripe.net> <50E47FD5.4000008@trifle.net> <9AE4C3F8-B0E0-4570-9A31-A9CF78710BD8@rfc1035.com> <50E57137.5030608@trifle.net> <20130103125830.GA53665@cilantro.c4inet.net> <50E5858F.5020405@trifle.net> <20130103134538.GA53810@cilantro.c4inet.net> Message-ID: <50E58C40.2050004@trifle.net> Sascha Luck wrote: > On Thu, Jan 03, 2013 at 03:20:15PM +0200, Andrey Semenchuk wrote: >> Organisation is not the person >> >> "'personal data' shall mean any information relating to an identified >> or identifiable natural person" (q) Directive 95/46/EC of the >> European Parliament and of the Council > > Yes. If a natural person holds internet resources, the organisation: > object is that person. I'm assuming you don't intend to ban natural > persons from holding > resources (and thereby requiring an organisation: object)? http://www.ripe.net/data-tools/support/organisation-object-in-the-ripe-database =========== The RIPE Database stores three main types of contact information: person, role and organisation objects. The person and role objects provide a way to find people responsible for operations or usage of the resources represented in the RIPE Database (IP blocks, Autonomous Systems, and domain names). However, these do not provide an easy way of mapping resources to a particular organisation. The organisation object fulfills this need. =========== http://meetings.ripe.net/ripe-46/presentations/ripe46-db-organisation_object.pdf =========== Idea ?Provide information about an organisation ?LIR ?Any other company, university, charity =========== Organisation object contains information about organisation. It's not the type of objects that should be used for natural person -- Best wishes, Andrey Semenchuk Trifle Internet Service Provider (056) 731-99-11 www.trifle.net From lists-ripe at c4inet.net Thu Jan 3 15:17:36 2013 From: lists-ripe at c4inet.net (Sascha Luck) Date: Thu, 3 Jan 2013 14:17:36 +0000 Subject: [ncc-services-wg] RIPE NCC as communication go-between, was RIPE Database Proxy Service Issues In-Reply-To: <20130103141333.0c14eb49@shane-desktop> References: <50E458CD.8030604@ripe.net> <50E47FD5.4000008@trifle.net> <20130103141333.0c14eb49@shane-desktop> Message-ID: <20130103141735.GA53839@cilantro.c4inet.net> On Thu, Jan 03, 2013 at 02:13:33PM +0100, Shane Kerr wrote: >An alternate approach would be for the RIPE NCC to act as a go-between >for communicating with resource holders. Not that I dislike the idea but, considering automated antispam bitching, that might be a DDoS vector ;) cheers, Sascha From andrey at trifle.net Thu Jan 3 15:03:28 2013 From: andrey at trifle.net (Andrey Semenchuk) Date: Thu, 03 Jan 2013 16:03:28 +0200 Subject: [ncc-services-wg] RIPE NCC as communication go-between, was RIPE Database Proxy Service Issues In-Reply-To: <20130103141333.0c14eb49@shane-desktop> References: <50E458CD.8030604@ripe.net> <50E47FD5.4000008@trifle.net> <20130103141333.0c14eb49@shane-desktop> Message-ID: <50E58FB0.2070009@trifle.net> Shane Kerr wrote: > On Wednesday, 2013-01-02 20:43:33 +0200, > Andrey Semenchuk wrote: > >> 2. Data must provide contact information to any parties to be able to >> communicate with the person who described by the personal data object >> ============================================================================== >> In this case personal data provided and processed in the same way and >> purpose that they were collected and no restrictions should be used >> > > An alternate approach would be for the RIPE NCC to act as a go-between > for communicating with resource holders. > Actually this method was proposed in the letter you quote :) It will not work with phone numbers but with the emails - it will work. And already works for some public organisations which operates with personal data in compliance with Directive 95/46/EC. So RIPE has nothing to devise in this situation -- Best wishes, Andrey Semenchuk Trifle Internet Service Provider (056) 731-99-11 www.trifle.net From andrey at trifle.net Thu Jan 3 15:04:41 2013 From: andrey at trifle.net (Andrey Semenchuk) Date: Thu, 03 Jan 2013 16:04:41 +0200 Subject: [ncc-services-wg] RIPE NCC as communication go-between, was RIPE Database Proxy Service Issues In-Reply-To: <20130103141735.GA53839@cilantro.c4inet.net> References: <50E458CD.8030604@ripe.net> <50E47FD5.4000008@trifle.net> <20130103141333.0c14eb49@shane-desktop> <20130103141735.GA53839@cilantro.c4inet.net> Message-ID: <50E58FF9.8060502@trifle.net> Sascha Luck wrote: > On Thu, Jan 03, 2013 at 02:13:33PM +0100, Shane Kerr wrote: >> An alternate approach would be for the RIPE NCC to act as a go-between >> for communicating with resource holders. > > Not that I dislike the idea but, considering automated antispam > bitching, that might be a DDoS vector ;) ... and ff the DDoS occurs in this situation, it should be prevented as the any other DDoS -- Best wishes, Andrey Semenchuk Trifle Internet Service Provider (056) 731-99-11 www.trifle.net From shane at time-travellers.org Thu Jan 3 15:05:37 2013 From: shane at time-travellers.org (Shane Kerr) Date: Thu, 3 Jan 2013 15:05:37 +0100 Subject: [ncc-services-wg] RIPE Database Proxy Service Issues In-Reply-To: <50E4B6E3.9060305@netability.ie> References: <50E458CD.8030604@ripe.net> <50E4B6E3.9060305@netability.ie> Message-ID: <20130103150537.38924e2f@shane-desktop> All, On Wednesday, 2013-01-02 22:38:27 +0000, Nick Hilliard wrote: > > I have no objection to requesting a contract for access to bulk data > access provided by the RIPE NCC. I do, however, have a problem with: > > - the general concept of requiring RIPE NCC membership for services > which were previously available on a free-as-in-beer basis. Especially since apparently this is something that really only affects a very few WHOIS users, so if this issue is a contract then it should be straightforward to get a free-but-binding contract for those folks. I vaguely remember from my days as manager of the RIPE Database group that we actually had signed contracts with such providers already, but perhaps the decade or so of time since those days has clouded my memory. > - executive decisions being made which have a significant impact on > the RIPE community, and which are made without consultation with > either the RIPE NCC membership or the RIPE community. I recognize that it is hard to know whether any particular issue is one that warrants community or member input. Nobody is perfect, and there will be mistakes. However, the default should be transparency. If in doubt, isn't the best idea to simply ask? You know, rather than make people upset because unpopular decisions were made without consultation. Again. -- Shane From shane at time-travellers.org Thu Jan 3 15:15:38 2013 From: shane at time-travellers.org (Shane Kerr) Date: Thu, 3 Jan 2013 15:15:38 +0100 Subject: [ncc-services-wg] RIPE NCC as communication go-between, was RIPE Database Proxy Service Issues In-Reply-To: <50E58FB0.2070009@trifle.net> References: <50E458CD.8030604@ripe.net> <50E47FD5.4000008@trifle.net> <20130103141333.0c14eb49@shane-desktop> <50E58FB0.2070009@trifle.net> Message-ID: <20130103151538.381fdcca@shane-desktop> Andrey, On Thursday, 2013-01-03 16:03:28 +0200, Andrey Semenchuk wrote: > Shane Kerr wrote: > > On Wednesday, 2013-01-02 20:43:33 +0200, > > Andrey Semenchuk wrote: > > > >> 2. Data must provide contact information to any parties to be able > >> to communicate with the person who described by the personal data > >> object > >> ============================================================================== > >> In this case personal data provided and processed in the same way > >> and purpose that they were collected and no restrictions should be > >> used > > > > An alternate approach would be for the RIPE NCC to act as a > > go-between for communicating with resource holders. > > > Actually this method was proposed in the letter you quote :) It will > not work with phone numbers but with the emails - it will work. And > already works for some public organisations which operates with > personal data in compliance with Directive 95/46/EC. So RIPE has > nothing to devise in this situation Oh, I see. I should read more carefully. One slight difference is that I don't propose any particular mechanism, including where or how data is stored, or how messages are received or transmitted. I'm glad that other organisations have figured this out, and that we can happily copy what they have done. :) Cheers, -- Shane From jim at rfc1035.com Thu Jan 3 15:24:07 2013 From: jim at rfc1035.com (Jim Reid) Date: Thu, 3 Jan 2013 14:24:07 +0000 Subject: [ncc-services-wg] Personal Data and Database Proxy services In-Reply-To: <50E57137.5030608@trifle.net> References: <50E458CD.8030604@ripe.net> <50E47FD5.4000008@trifle.net> <9AE4C3F8-B0E0-4570-9A31-A9CF78710BD8@rfc1035.com> <50E57137.5030608@trifle.net> Message-ID: <991F3058-CA29-4379-B979-BBE95F746D13@rfc1035.com> On 3 Jan 2013, at 11:53, Andrey Semenchuk wrote: > Jim Reid wrote: >> On 2 Jan 2013, at 18:43, Andrey Semenchuk wrote: >> >>> the phone number is not the personal information >> Sorry Andrey, it is. >> >> In the context of EU Data Protection legislation, ANY data identifying a Living Person is Personal Data. > "Person" object intended to identify employer of the organisation that holds objects in the RIPE database (aut-num, domain, inet-num, etc). Nope. Well, not always. The name of this object is a massive hint about the thing it identifies. :-) And not all objects in the database are held by organisations either. Sometimes IP resources are held by individuals. [An ISP added me to the database (without my consent or knowledge) when they gave me a /29. They later deleted that when I handed the space back. The ISP's policy was to populate the database with the contact details for every customer assignment they made. They buried a consent clause in the very small print of their customer contract.] Some organisations will be sole traders or one-person companies. In those cases pretty much all of the data about one of those organisations is Personal Data because they identify the individual who operates or owns that organisation. > In this case the phone int person object is not the personal phone but the phone provided by employer. ... > If we wants to make data protection safer - ok, let's strip phone information from the database output of the person object. Andrey, you're focusing on unimportant detail and missing the bigger picture. This is not about phone numbers or what they might be used for in some contexts. If you want to discuss that, take it elsewhere. Deleting these (or email addresses or....) from contact objects will not solve anything. [And good luck getting consensus for a revised person object which also satisfies contradictory international requirements for Data Protection, privacy and Law Enforcement.] There will still be Personal Data in the database which has to be protected even if phone numbers are removed. Your name is Personal Data. Your DPA might well say the organisation field of a contact object is not Personal Data. Mine may well say the exact opposite. Or, worse, both say it depends on the context in which the Personal Data get used. ie: It might be OK for Hollywood's lawyers to mine whois for chasing down copyright violation but not OK for spammers to harvest email addresses from whois. This gets very murky very quickly. The subject is about levels of greyness and there's very little that lends itself to a clear black/white or yes/no decision. > Is there any chance to identify Data Processor systems? Not the person who queries RIPE database search but any type of Data Processor system? It's not. Any data processor system can make a single request from IP address in a day (in IPv6 address space it's not a problem) and none system will tell this data processor system from the user who queries the database You seem to be focusing on detail and missing the bigger picture again. The terms Data Controller and Data Processor have specific definitions in Data Protection legislation. [I capitalise these terms to make it clear the formal definitions apply instead of a more generic or informal use.] These terms apply to roles. The specifics of the systems or procedures that someone/something in one of those roles may use don't matter: that's implementation detail. If you want a detailed explanation I suggest you consult the EU Directives, prevailing national law and a competent lawyer who understands this field. I am not a lawyer. Broadly speaking, the NCC is the Data Controller for the database. They are the legal entity responsible for it and how it gets used. Anyone or anything manipulating that database or extracting data from it (or possibly even just doing a lookup on it) is a Data Processor. As a Data Controller the NCC must ensure that the Data Processor does so in accordance with the EU Directive and Dutch law. You also seem to be more concerned about the identify of whatever is making a database lookup. That's not the issue. It's about the data which is provided as a result of that lookup. For regular whois lookups, there's usually a pile of legalese in the response which says what the data can and can't be used for. That's usually enough to keep the DPA happy. However if there's a bulk export of some database for a Data Processor to use for something else, the DPA will almost certainly insist on a paper contract between the Data Processor and the Data Controller. > The current question with data protection exists because the database provide personal data. And all we should do - is to cut personal data from the output. A discussion about how or if Personal Data about IP resource holders get published will go round in circles forever and quickly degenerate into a screaming match. So I suggest we don't start that. > As soon we provide access to personal data that are stored (or may be stored) in RIPE database on any basis - the first question should be not about relations between RIPE and third parties that may collect and process that data. The first question should be: is every person who stores personal data in the RIPE database agrees with this situation and allow to collect/process his/her data by any organisation except RIPE? That's a good question. But the wrong one. For one thing, many people don't know about the RIPE database, let alone that their details might be in it. I expect the current setup satisfies the Dutch authorities. So provided they're happy, it's best not to (re)open the whois can of worms. A better question would be "is there consensus that the RIPE database provides satisfactory mechanisms for individuals to protect or conceal their Personal Data and publishes information on how to use those mechanisms? > If the person wished to provide free access to his/her personal data - RIPE should provide this access without any limitation. All data protection RIPE should provide - is a storage protection. If the person wishes to provide this information to RIPE only - no personal data should be displayed to any other third party. It's so simple! It's not. Anyone who thinks it is that simple does not understand the problem space. Sorry. > We're trying to answer to question that is not the main question by itself. The main question is: provide or do not provide personal information to third parties? It's not that simple. It depends on what the third party wants the data for. As an example, you might think it's a no-brainer to provide that third party access to law enforcement. We all want to prevent crime and help the police catch bad guys. But suppose the cops are hunting whoever's hosting Wikileaks this week or Mugabe's goons want to arrest human rights campaigners. What then? OK, Zimbabwe's not in our service region but you get the general idea. From andrey at trifle.net Thu Jan 3 15:51:55 2013 From: andrey at trifle.net (Andrey Semenchuk) Date: Thu, 03 Jan 2013 16:51:55 +0200 Subject: [ncc-services-wg] Personal Data and Database Proxy services In-Reply-To: <991F3058-CA29-4379-B979-BBE95F746D13@rfc1035.com> References: <50E458CD.8030604@ripe.net> <50E47FD5.4000008@trifle.net> <9AE4C3F8-B0E0-4570-9A31-A9CF78710BD8@rfc1035.com> <50E57137.5030608@trifle.net> <991F3058-CA29-4379-B979-BBE95F746D13@rfc1035.com> Message-ID: <50E59B0B.9070800@trifle.net> > If you want to discuss that, take it elsewhere. Ouch, you're not friendly > You seem to be focusing on detail and missing the bigger picture again. > > It's not. Anyone who thinks it is that simple does not understand the problem space. Sorry. > >> We're trying to answer to question that is not the main question by itself. The main question is: provide or do not provide personal information to third parties? >> > > It's not that simple. It depends on what the third party wants the data for. > As an example, you might think it's a no-brainer to provide that third party access to law enforcement. We all want to prevent crime and help the police catch bad guys. But suppose the cops are hunting whoever's hosting Wikileaks this week or Mugabe's goons want to arrest human rights campaigners. What then? OK, Zimbabwe's not in our service region but you get the general idea. Jim, do you listen yourself? Third parties will decide instead of person how his/her personal data should be processed and for what? I may agree with you that the picture is too big to estimate it's size but you watching the picture from the wrong side. The goal of personal data protection is to protect data. But not the third-parties. And just for your information: law enforcements already has access to databases that they should has. If they hasn't - they use authorized procedures in their investigation to gain access to the required data. Assistance for the law enforcements is not the question of this discussion -- Best wishes, Andrey Semenchuk Trifle Internet Service Provider (056) 731-99-11 www.trifle.net From Piotr.Strzyzewski at polsl.pl Thu Jan 3 15:13:57 2013 From: Piotr.Strzyzewski at polsl.pl (Piotr Strzyzewski) Date: Thu, 3 Jan 2013 15:13:57 +0100 Subject: [ncc-services-wg] Personal Data and Database Proxy services In-Reply-To: <50E58C40.2050004@trifle.net> References: <50E458CD.8030604@ripe.net> <50E47FD5.4000008@trifle.net> <9AE4C3F8-B0E0-4570-9A31-A9CF78710BD8@rfc1035.com> <50E57137.5030608@trifle.net> <20130103125830.GA53665@cilantro.c4inet.net> <50E5858F.5020405@trifle.net> <20130103134538.GA53810@cilantro.c4inet.net> <50E58C40.2050004@trifle.net> Message-ID: <20130103141357.GF32031@hydra.ck.polsl.pl> On Thu, Jan 03, 2013 at 03:48:48PM +0200, Andrey Semenchuk wrote: > Organisation object contains information about organisation. It's not the > type of objects that should be used for natural person In the hypothetical situation, when natural person is a holder of PI space or act as a LIR (i have no idea if this is even possible ;-) ), organisation object is mandatory and I guess it will be filled with that natural person's data. Piotr -- gucio -> Piotr Strzy?ewski E-mail: Piotr.Strzyzewski at polsl.pl From gert at space.net Thu Jan 3 16:17:38 2013 From: gert at space.net (Gert Doering) Date: Thu, 3 Jan 2013 16:17:38 +0100 Subject: [ncc-services-wg] RIPE Database Proxy Service Issues In-Reply-To: <20130103150537.38924e2f@shane-desktop> References: <50E458CD.8030604@ripe.net> <50E4B6E3.9060305@netability.ie> <20130103150537.38924e2f@shane-desktop> Message-ID: <20130103151738.GV40732@Space.Net> Hi, On Thu, Jan 03, 2013 at 03:05:37PM +0100, Shane Kerr wrote: > Especially since apparently this is something that really only affects > a very few WHOIS users, so if this issue is a contract then it should > be straightforward to get a free-but-binding contract for those folks. +1 (Not commenting on the issue of "present one document for voting, then go implement something else". *That* is for the board to sort out) Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 From jim at rfc1035.com Thu Jan 3 17:05:13 2013 From: jim at rfc1035.com (Jim Reid) Date: Thu, 3 Jan 2013 16:05:13 +0000 Subject: [ncc-services-wg] Personal Data and Database Proxy services In-Reply-To: <50E59B0B.9070800@trifle.net> References: <50E458CD.8030604@ripe.net> <50E47FD5.4000008@trifle.net> <9AE4C3F8-B0E0-4570-9A31-A9CF78710BD8@rfc1035.com> <50E57137.5030608@trifle.net> <991F3058-CA29-4379-B979-BBE95F746D13@rfc1035.com> <50E59B0B.9070800@trifle.net> Message-ID: <4A52EEBE-8585-408E-A19B-0A495053B38F@rfc1035.com> On 3 Jan 2013, at 14:51, Andrey Semenchuk wrote: >> If you want to discuss that, take it elsewhere. > Ouch, you're not friendly Apologies. I was just saying a discussion about the contextual significance of phone numbers was not appropriate for this list. No unfriendliness was stated or implied. >> It's not that simple. It depends on what the third party wants the data for. As an example, you might think it's a no-brainer to provide that third party access to law enforcement. We all want to prevent crime and help the police catch bad guys. But suppose the cops are hunting whoever's hosting Wikileaks this week or Mugabe's goons want to arrest human rights campaigners. What then? OK, Zimbabwe's not in our service region but you get the general idea. > Jim, do you listen yourself? Of course. I only do what the voices inside my head tell me. :-) Well, maybe just the ones who shout loudest for longest. :-) > Third parties will decide instead of person how his/her personal data should be processed and for what? I didn't imply anything like that at all. So let me spell it out for you. A Data Controller has certain responsibilities to discharge before they pass Personal Data to a third party. These include, but are not limited to, considering what that third party may do with that Personal Data, whether that Data Processor can be trusted (or not), if the Data Processor's data protection regime is acceptable, etc. > I may agree with you that the picture is too big to estimate it's size but you watching the picture from the wrong side. The goal of personal data protection is to protect data. But not the third-parties. Nobody ever said it was about protecting third parties AFAICT. > And just for your information: law enforcements already has access to databases that they should has. If they hasn't - they use authorized procedures in their investigation to gain access to the required data. Assistance for the law enforcements is not the question of this discussion You still seem to be missing the point and focusing on detail instead of the big picture. I was using law enforcement as an obvious example of a case where third party access to registry data isn't as clear-cut as may be first thought. And just for your information, I am very familiar with the authorised procedures that are used here and what would happen when overseas law enforcement knocked on the door. From andrey at trifle.net Thu Jan 3 19:57:05 2013 From: andrey at trifle.net (Andrey Semenchuk) Date: Thu, 03 Jan 2013 20:57:05 +0200 Subject: [ncc-services-wg] Personal Data and Database Proxy services In-Reply-To: <4A52EEBE-8585-408E-A19B-0A495053B38F@rfc1035.com> References: <50E458CD.8030604@ripe.net> <50E47FD5.4000008@trifle.net> <9AE4C3F8-B0E0-4570-9A31-A9CF78710BD8@rfc1035.com> <50E57137.5030608@trifle.net> <991F3058-CA29-4379-B979-BBE95F746D13@rfc1035.com> <50E59B0B.9070800@trifle.net> <4A52EEBE-8585-408E-A19B-0A495053B38F@rfc1035.com> Message-ID: <50E5D481.4070700@trifle.net> An HTML attachment was scrubbed... URL: From eh at solnet.ch Fri Jan 4 09:32:43 2013 From: eh at solnet.ch (Erich Hohermuth) Date: Fri, 04 Jan 2013 09:32:43 +0100 Subject: [ncc-services-wg] RIPE Database Proxy Service Issues In-Reply-To: <20130103150537.38924e2f@shane-desktop> References: <50E458CD.8030604@ripe.net> <50E4B6E3.9060305@netability.ie> <20130103150537.38924e2f@shane-desktop> Message-ID: <50E693AB.7060609@solnet.ch> Hi On 03.01.13 15:05, wrote Shane Kerr: > Especially since apparently this is something that really only affects > a very few WHOIS users, so if this issue is a contract then it should > be straightforward to get a free-but-binding contract for those folks. Full ack, it should be free but binding. Regards Erich From ripencc-management at ripe.net Fri Jan 4 12:49:50 2013 From: ripencc-management at ripe.net (Axel Pawlik) Date: Fri, 04 Jan 2013 12:49:50 +0100 Subject: [ncc-services-wg] Update - RIPE Database Proxy Service Issues Message-ID: <50E6C1DE.7060605@ripe.net> [Apologies for duplicate emails] Dear colleagues, Thank you for your comments on this issue. I would like to point out that the *DRAFT* Activity Plan and Budget is published around September of each year, allowing members ample time to read it before it is discussed at the Autumn General Meeting. The RIPE NCC Executive Board then takes the outcome of the discussions and any new developments into consideration before finalising and approving the definitive Activity Plan and Budget, which is then published before the end of the year. On 13 December 2012, we informed the membership of the definitive Activity Plan and Budget and listed the changes from the draft plan. Please note that the membership does not vote on either the draft or the final Activity Plan and Budget - this is one of the member-elected Executive Board's functions. One of the modifications that took place from the draft to the final Activity Plan was the addition of the RIPE Database Proxy Service as a member-only service. This was a follow-up on an action point that stemmed from the Data Protection Task Force and a need to strengthen our contractual relationship between the current users of the RIPE Database Proxy Service and the RIPE NCC ensuring compliance with Dutch and EU legislation. Partially based on the membership's vote of approval regarding the new Charging Scheme of "one LIR, one fee" and partially based on the fact that the RIPE Database Proxy Service is only actively used by less than a handful of entities (both members and non-members), the Executive Board made the decision, which they felt was in the members' interest, to ask the users of this service to sign both a specific RIPE Database Proxy Service Agreement and the Standard Service Agreement (Membership Agreement) that adheres to both EU and Dutch legislation, which would entail the users of this service paying the annual membership fee. Based on the recent mailing list discussions it seems apparent that this is a contentious issue that requires further membership and community discussion. Therefore, we will keep the RIPE Database Proxy Service running as it was in 2012 (i.e., no fee and no Membership Agreement) until we have completed these discussions. We will prepare a legal analysis of the options at hand for the contractual documentation required to use this service and gauge whether or not the membership feels that we should charge a fee for this service. Regards, Axel Pawlik Managing Director RIPE NCC From ripencc-management at ripe.net Fri Jan 4 14:19:58 2013 From: ripencc-management at ripe.net (Axel Pawlik) Date: Fri, 04 Jan 2013 14:19:58 +0100 Subject: [ncc-services-wg] RIPE Database Proxy Service Issues In-Reply-To: <1357210831.23125.19.camel@moridin> References: <50E458CD.8030604@ripe.net> <1357210831.23125.19.camel@moridin> Message-ID: <50E6D6FE.5060404@ripe.net> Dear Teun, All current RIPE NCC members who received the RIPE Database Proxy Service Agreement should check that they are satisfied with it and, if so, they should sign it and return it to the RIPE NCC. We will individually contact all non-RIPE NCC members who received the membership agreements and inform them of the situation regarding discussions on this service. Best regards, Axel On 1/3/13 12:00 PM, Teun Vink wrote: > On Wed, 2013-01-02 at 16:57 +0100, Axel Pawlik wrote: > [...] >> In the meantime, there will be no changes to the proxy service and no >> loss of functionality for the community. >> >> The RIPE NCC and its Executive Board will return to its members with >> proposals for ways to ensure that their wishes are met with regard to >> service developments while allowing the RIPE NCC to be operate >> efficiently and responsively. > > > Hello Axel, > > Thank you for the clarification. In addition to points already addressed > by others I have another remark and question: > > RIPE NCC sent me the contracts on December 17th stating they had to be > signed and returned before the 31th. It amazes me that RIPE NCC sent > these out just before the holidays, making it impossible for us (and I > think many others) to have these documents reviewed by the right people > and returned in time. > > Now that we've had time to review the document and that I've read your > email I'm wondering if I still need to sign and return these documents. > Could you please elaborate? > > Best regards, From sander at steffann.nl Fri Jan 4 19:24:13 2013 From: sander at steffann.nl (Sander Steffann) Date: Fri, 4 Jan 2013 19:24:13 +0100 Subject: [ncc-services-wg] Update - RIPE Database Proxy Service Issues In-Reply-To: <50E6C1DE.7060605@ripe.net> References: <50E6C1DE.7060605@ripe.net> Message-ID: <98E3EAFD-7A38-4CF1-87FF-0E1E33A2F4EF@steffann.nl> Hi Axel, > Thank you for your comments on this issue. > > I would like to point out that the *DRAFT* Activity Plan and Budget is published around September of each year, allowing members ample time to read it before it is discussed at the Autumn General Meeting. The RIPE NCC Executive Board then takes the outcome of the discussions and any new developments into consideration before finalising and approving the definitive Activity Plan and Budget, which is then published before the end of the year. On 13 December 2012, we informed the membership of the definitive Activity Plan and Budget and listed the changes from the draft plan. Please note that the membership does not vote on either the draft or the final Activity Plan and Budget - this is one of the member-elected Executive Board's functions. You are right. I thought there had been a vote on the activity plan during the AGM, but it was only a discussion. The Articles of Association (a.k.a. RIPE-534: http://www.ripe.net/ripe/docs/ripe-534) state the the Activity Plan is the responsibility of the board, so the members don't need to approve it. My apologies for claiming this change was linked to the voting at the AGM. It wasn't. > One of the modifications that took place from the draft to the final Activity Plan was the addition of the RIPE Database Proxy Service as a member-only service. This was a follow-up on an action point that stemmed from the Data Protection Task Force and a need to strengthen our contractual relationship between the current users of the RIPE Database Proxy Service and the RIPE NCC ensuring compliance with Dutch and EU legislation. > > Partially based on the membership's vote of approval regarding the new Charging Scheme of "one LIR, one fee" and partially based on the fact that the RIPE Database Proxy Service is only actively used by less than a handful of entities (both members and non-members), the Executive Board made the decision, which they felt was in the members' interest, to ask the users of this service to sign both a specific RIPE Database Proxy Service Agreement and the Standard Service Agreement (Membership Agreement) that adheres to both EU and Dutch legislation, which would entail the users of this service paying the annual membership fee. That might not have been the best decision. I fully understand the need for the RIPE Database Proxy Service Agreement, but not for forcing them to become members. The members voted for the "one LIR, one fee" charging scheme, but I don't understand that something that was never even related to being a member now suddenly becomes a member-only service. Why was the choice made to make it a member-only service *and* require a RIPE Database Proxy Service Agreement as well? Why not just the latter? I would like to see when and how this decision was made by the board. If I understand correctly then there must have been a meeting of the Executive Board to make the change to the Activity Plan. I checked the Executive Board meeting minutes (http://www.ripe.net/lir-services/ncc/executive-board/minutes) but I can't find anything after August 2nd, which was before the last AGM. The message to the users of the proxy service was sent on the 17th of December, which means that the decision by the board was made before that date. According to the Articles of Association Section 8 "The secretary shall keep minutes of the proceedings at all meetings of the Executive Board. The minutes shall be sent to the Executive Board members and shall be adopted by them In Writing as soon as possible after the meeting. Within two weeks of adoption the minutes of an Executive Board meeting shall be published on the website of the Association.". Two weeks ago was the 21st of December, so the only explanation for the unpublished minutes is that a board member hadn't adopted them yet before Christmas :-) I hope to see those minutes soon, because I think openness about this whole issue is important! > Based on the recent mailing list discussions it seems apparent that this is a contentious issue that requires further membership and community discussion. Therefore, we will keep the RIPE Database Proxy Service running as it was in 2012 (i.e., no fee and no Membership Agreement) until we have completed these discussions. Thank you. > We will prepare a legal analysis of the options at hand for the contractual documentation required to use this service and gauge whether or not the membership feels that we should charge a fee for this service. Sounds good. I do want to remark that although the decision to change the Activity Plan has been made according to the Articles of Association, I do wonder if such a decision actually belongs in the Activity Plan... But I'll leave that question until the next GM. Thank you, Sander PS: I'm focussing on the change to the Activity Plan here, and I think this is being solved now in the correct way. I still think the communication around this was appalling. You *don't* send people a in notice the week before Christmas to tell them that they have to sign a RIPE Database Proxy Service Agreement (and in most cases have to become members, which is impossible on such short notice) before the end of the year. You just don't... From axel.pawlik at ripe.net Mon Jan 7 17:06:57 2013 From: axel.pawlik at ripe.net (Axel Pawlik) Date: Mon, 07 Jan 2013 17:06:57 +0100 Subject: [ncc-services-wg] Update - RIPE Database Proxy Service Issues In-Reply-To: <98E3EAFD-7A38-4CF1-87FF-0E1E33A2F4EF@steffann.nl> References: <50E6C1DE.7060605@ripe.net> <98E3EAFD-7A38-4CF1-87FF-0E1E33A2F4EF@steffann.nl> Message-ID: <50EAF2A1.1050308@ripe.net> Sander, all, > I fully understand the > need for the RIPE Database Proxy Service Agreement, but not for > forcing them to become members. The members voted for the "one LIR, > one fee" charging scheme, but I don't understand that something that > was never even related to being a member now suddenly becomes a > member-only service. Why was the choice made to make it a member-only > service *and* require a RIPE Database Proxy Service Agreement as > well? Why not just the latter? The thought was to have all as simple as possible, "one LIR, one fee, one contract." Clearly, with 20/20 hindsight, that was "te kort door de bocht," a step too far, too quickly. > I checked > the Executive Board meeting minutes > (http://www.ripe.net/lir-services/ncc/executive-board/minutes) but I > can't find anything after August 2nd, which was before the last AGM. You're right. Now they are online; as you pointed out, they should have been already. > I hope to see those minutes soon, because I think openness about this > whole issue is important! Absolutely agree. We want them online (and occasionally succeeded) within two weeks of the meeting. I'm taking action to ensure it happens in every case now. > PS: I'm focussing on the change to the Activity Plan here, and I > think this is being solved now in the correct way. I still think the > communication around this was appalling. You *don't* send people a in > notice the week before Christmas to tell them that they have to sign > a RIPE Database Proxy Service Agreement (and in most cases have to > become members, which is impossible on such short notice) before the > end of the year. You just don't... Cannot help but agree again. It shouldn't have happened this way. I'm building in extra precautions that it doesn't again. Apologies to those on the receiving end. cheers, Axel From sander at steffann.nl Mon Jan 7 17:31:52 2013 From: sander at steffann.nl (Sander Steffann) Date: Mon, 7 Jan 2013 17:31:52 +0100 Subject: [ncc-services-wg] Update - RIPE Database Proxy Service Issues In-Reply-To: <50EAF2A1.1050308@ripe.net> References: <50E6C1DE.7060605@ripe.net> <98E3EAFD-7A38-4CF1-87FF-0E1E33A2F4EF@steffann.nl> <50EAF2A1.1050308@ripe.net> Message-ID: <6CA889C8-895C-4684-B04B-3ED361F6DAD7@steffann.nl> Hi Axel, >> I fully understand the >> need for the RIPE Database Proxy Service Agreement, but not for >> forcing them to become members. The members voted for the "one LIR, >> one fee" charging scheme, but I don't understand that something that >> was never even related to being a member now suddenly becomes a >> member-only service. Why was the choice made to make it a member-only >> service *and* require a RIPE Database Proxy Service Agreement as >> well? Why not just the latter? > > The thought was to have all as simple as possible, "one LIR, one fee, > one contract." > Clearly, with 20/20 hindsight, that was "te kort door de bocht," a step > too far, too quickly. As far as I can tell it was never even a conscious decision :-) See below. >> I checked >> the Executive Board meeting minutes >> (http://www.ripe.net/lir-services/ncc/executive-board/minutes) but I >> can't find anything after August 2nd, which was before the last AGM. > > You're right. Now they are online; as you pointed out, they should have > been already. Thanks! Reading them I notice that the only resolution that mentions the proxy service is: "The Resolution, stating "The Executive Board resolves to not charge a sign-up fee for contract holders of any of the following services: DNSmon, TTM, NRTM, DAUs and Proxy service that become members" was unanimously accepted by the Board." I don't see an explicit decision that the proxy service is a member-only service in those minutes. There is a sentence in the minutes that states "The following services will from 2013 onwards only be available for members (members-only): DNSmon, TTM, NRTM, DAUs and Proxy service." under the heading "Implementation of the Charging Scheme 2013". It seems to day that making those services members-only is a direct consequence of the implementation of the charging scheme, but the 2013 charging scheme document adopted by the members (http://www.ripe.net/lir-services/ncc/gm/september-2012/documents/ripe-ncc-charging-scheme-2013-option-a) doesn't mention the proxy service at all. It says: "Non-members that are currently charged fees for using specific services such as DNSMON and NRTM, as well as Direct Assignment Users, must also become members". As the proxy service was never a service for which fees were charged it shouldn't have been included in the interpretation. As far as I can tell including the proxy service as a members-only service comes from a misinterpretation of the charging scheme. To summarise: The charging scheme explicitly doesn't say that the proxy service is a member-only service. Including it as a member-only service was a misinterpretation, and the board only decided that proxy service users don't have to pay a signup fee *if* they become members, but didn't decide that they *have* to become members (but probably assumed they had to be, given the misinterpretation). So if I read everything correctly then proxy service users don't have to become members, but if they do then they don't have to pay a signup fee :-) Anyway, everything has already been resolved by not requiring proxy service users to become members and to discuss topic this at the next GM. And I am glad to see that this was caused by a simple human mistake / misinterpretation. You can never completely prevent those from happening :-) Thanks, Sander From danny at danysek.cz Mon Jan 7 18:30:26 2013 From: danny at danysek.cz (Daniel Suchy) Date: Mon, 07 Jan 2013 18:30:26 +0100 Subject: [ncc-services-wg] RDNS checks Message-ID: <50EB0632.20002@danysek.cz> Hello, when I was trying updating some reverse DNS records, I had problem due to RDNS check - and I think there's bug in implementation - RDNS checks should be done against DNS servers listed in *updated* (new, submited) record, not against servers from *current* (old) record from RIPE database. Of course, "old" servers doesn't provide proper answers, but now I'm not able to update the records (by other way than delete/recreate objects)... With regards Daniel From kranjbar at ripe.net Mon Jan 7 19:10:01 2013 From: kranjbar at ripe.net (Kaveh Ranjbar) Date: Mon, 7 Jan 2013 19:10:01 +0100 Subject: [ncc-services-wg] RDNS checks In-Reply-To: <50EB0632.20002@danysek.cz> References: <50EB0632.20002@danysek.cz> Message-ID: Hello, This should not happen. We will check our logs and the system's behaviour and will contact you for follow up. Thank you for informing us. Kind Regards, Kaveh. --- Kaveh Ranjbar, RIPE NCC Database Group Manager On Jan 7, 2013, at 6:30 PM, Daniel Suchy wrote: > Hello, > when I was trying updating some reverse DNS records, I had problem due > to RDNS check - and I think there's bug in implementation - RDNS checks > should be done against DNS servers listed in *updated* (new, submited) > record, not against servers from *current* (old) record from RIPE database. > > Of course, "old" servers doesn't provide proper answers, but now I'm not > able to update the records (by other way than delete/recreate objects)... > > With regards > Daniel > From mir at ripe.net Fri Jan 11 12:21:47 2013 From: mir at ripe.net (Mirjam Kuehne) Date: Fri, 11 Jan 2013 12:21:47 +0100 Subject: [ncc-services-wg] New on RIPE Labs: RIPE NCC Training Report 2012 & Plans for 2013 Message-ID: <50EFF5CB.5010306@ripe.net> Dear colleagues, Please find a summary of our training activities in 2012 and plans for 2013 on RIPE Labs: https://labs.ripe.net/Members/mirjam/ripe-ncc-training-report-2012 Kind regards, Mirjam Kuehne RIPE NCC From comms+reply at ripe.net Mon Jan 14 14:49:19 2013 From: comms+reply at ripe.net (Brian Riddle) Date: Mon, 14 Jan 2013 14:49:19 +0100 Subject: [ncc-services-wg] [news] Update: New RIPE NCC PGP Key Message-ID: <50F40CDF.6030206@ripe.net> [Apologies for duplicate emails] Dear colleagues, On Monday, 7 January 2013 we announced that we would start using our 2013 key to sign emails from our ticketing system. Due to technical problems we have to publish a new key which will be published today, Monday, 14 January 2013. This 2013 key has been signed by the 2012 key as described in the key management policy on our website: The new 2013 key will be activated Thursday, 17 January 2013. The original 2012 key will remain valid until Thursday, 31 January 2013. We apologise if this has caused you any inconvenience. If you have any questions about this, please contact . Kind regards, Brian Riddle RIPE NCC From emadaio at ripe.net Wed Jan 16 15:13:38 2013 From: emadaio at ripe.net (Emilio Madaio) Date: Wed, 16 Jan 2013 15:13:38 +0100 Subject: [ncc-services-wg] 2012-08 Discussion Period extended until 13 February 2013 (Publication of Sponsoring LIR for Independent Number Resources) Message-ID: <50F6B592.5020803@ripe.net> Dear Colleagues, The Discussion Period for the proposal 2012-08, "Publication of Sponsoring LIR for Independent Number Resources", has been extended until 13 February 2013. You can find the full proposal at: https://www.ripe.net/ripe/policies/proposals/2012-08 We encourage you to review this policy proposal and send your comments to . Regards, Emilio Madaio Policy Development Officer RIPE NCC From mir at ripe.net Tue Jan 22 10:34:20 2013 From: mir at ripe.net (Mirjam Kuehne) Date: Tue, 22 Jan 2013 10:34:20 +0100 Subject: [ncc-services-wg] New on RIPE Labs: Access RIPE Atlas via LIR Portal Message-ID: <50FE5D1C.9040303@ripe.net> [apologies for duplicates] Dear colleagues, You can now access RIPE Atlas via the LIR Portal. Please find more information on RIPE Labs: https://labs.ripe.net/Members/becha/ripe-atlas-via-lir-portal Kind Regards, Mirjam Kuehne RIPE NCC From training at ripe.net Tue Jan 22 11:22:16 2013 From: training at ripe.net (Training Mailbox) Date: Tue, 22 Jan 2013 11:22:16 +0100 Subject: [ncc-services-wg] [training] RIPE NCC Webinars - new dates Message-ID: <50FE6858.9090800@ripe.net> [Apologies for duplicate e-mails] Dear colleagues, We are pleased to announce the launch of new dates for our Webinars for LIRs. The RIPE NCC Webinars are live, one hour online training courses that allow participants to interact with our trainers without leaving their desks. We focus on the topics and issues most important for LIRs. Register now at https://www.ripe.net/lir-services/training/e-learning/webinars Participation is limited to 20 people, so don't hesitate if you want to take part! If you have questions, please email. We look forward to seeing you online. Kind regards, RIPE NCC Training Services From emadaio at ripe.net Thu Jan 24 14:33:17 2013 From: emadaio at ripe.net (Emilio Madaio) Date: Thu, 24 Jan 2013 14:33:17 +0100 Subject: [ncc-services-wg] 2012-07 Discussion Period extended until 21 February 2013 (RIPE NCC Service to Legacy Internet Resource Holders) Message-ID: <5101381D.90600@ripe.net> Dear Colleagues, The text of the policy proposal 2012-07, "RIPE NCC Services to Legacy Internet Resource Holders", has been revised based on the community feedback received on the mailing list. We have published the new version (version 2.0) today. As a result a new Discussion Phase is set for the proposal. Highlights of the changes: -general rearrangement of the proposal sections -overall rewording of the whole policy proposal text -new Rationale section You can find the full proposal at: https://www.ripe.net/ripe/policies/proposals/2012-07 We encourage you to review this policy proposal and send your comments to . Regards, Emilio Madaio Policy Development Officer RIPE NCC From mir at ripe.net Thu Jan 24 15:24:59 2013 From: mir at ripe.net (Mirjam Kuehne) Date: Thu, 24 Jan 2013 15:24:59 +0100 Subject: [ncc-services-wg] New on RIPE Labs: RIPE NCC Membership 2012 Statistics Message-ID: <5101443B.7040507@ripe.net> Dear colleagues, At the start of a new year and four months after we reached the last /8 of IPv4 address space, we looked at our membership statistics again. Have we seen an increase in members or resource requests? Please find some selected statistics on RIPE Labs: https://labs.ripe.net/Members/wilhelm/ripe-ncc-membership-2012-statistics Kind regards, Mirjam Kuehne RIPE NCC From bijal.sanghani at euro-ix.net Fri Jan 25 11:59:00 2013 From: bijal.sanghani at euro-ix.net (Bijal Sanghani) Date: Fri, 25 Jan 2013 10:59:00 +0000 Subject: [ncc-services-wg] RIPE65 Draft NCC Services WG Minutes Message-ID: Dear All, The draft minutes from the NCC Services WG at RIPE 65 are now available online at: https://www.ripe.net/ripe/groups/wg/services/minutes/ripe-65 Please feel free to send comments to either myself, Kurtis or the mailing list. Kind regards, Bijal Sanghani NCC Services WG Co-chair -------------- next part -------------- An HTML attachment was scrubbed... URL: