Re: [anti-abuse-wg] addtess verification (was: personal data in the RIPE Database)
Creative forgery engaged in by fraudulent resource holders is good, it lets people use that forgery first as an indication of badness and second as a way to search for more of the same. Hiding it would be counter productive to the extreme especially as we may not be able to trust the LIR in at least some cases (or registrars in certain cases, for domain whois). --srs From: anti-abuse-wg on behalf of denis walker Sent: Wednesday, June 8, 2022 3:46:37 AM To: Ángel González Berdasco Cc: anti-abuse-wg Subject: Re: [anti-abuse-wg] addtess verification (was: personal data in the RIPE Database) Hi Angel On Tue, 7 Jun 2022 at 03:09, Ángel González Berdasco wrote: > > denis wrote: > In a previous mail you mentioned: > > When these people apply to be a member I am sure the RIPE NCC requires > > proof of identity and proof of address. > > but -being slightly more skeptic- I would like to know what kind of address > verification is performed. > > Document ripe-770 do mention the first part: > "Each agreement signed with either the RIPE NCC or with a sponsoring LIR must > be accompanied by supporting documentation proving the existence (and > validity) of the legal or natural person (see below)." > > but no mention is made of verifying the physical address. > https://www.ripe.net/publications/docs/ripe-770#111 I checked with the RIPE NCC. You are right. They do no verification at all on the address. Those attributes are maintained by the LIR. They can enter any data they like into the address fields and this can be changed at any time and as frequently as they wish. So with regard to this field Ronald is right, it can be completely false data. If this is pointed out to the RIPE NCC they will follow up and presumably ensure it is corrected. This is significant in two respects. Firstly the value of doing correlations on this unverified free text is questionable. Secondly it still needs to be taken out of the general public domain for natural persons. I am sure some will say it is not a problem as those who want to hide their true address can put false data in there. But that is the wrong approach. We should never put resource holders in a position where a solution to a problem is to lie. Also if the police need to access and use that address data they need it to be correct. So this doesn't change anything. It actually reaffirms what needs to be done. cheers denis proposal author > > Regards > > > -- > INCIBE-CERT - Spanish National CSIRT > https://www.incibe-cert.es/ > > PGP keys: https://www.incibe-cert.es/en/what-is-incibe-cert/pgp-public-keys > > > > INCIBE-CERT is the Spanish National CSIRT designated for citizens, > private law entities, other entities not included in the subjective > scope of application of the "Ley 40/2015, de 1 de octubre, de Régimen > Jurídico del Sector Público", as well as digital service providers, > operators of essential services and critical operators under the terms > of the "Real Decreto-ley 12/2018, de 7 de septiembre, de seguridad de > las redes y sistemas de información" that transposes the Directive (EU) > 2016/1148 of the European Parliament and of the Council of 6 July 2016 > concerning measures for a high common level of security of network and > information systems across the Union. > > > > In compliance with the General Data Protection Regulation of the EU > (Regulation EU 2016/679, of 27 April 2016) we inform you that your > personal and corporate data (as well as those included in attached > documents); and e-mail address, may be included in our records > for the purpose derived from legal, contractual or pre-contractual > obligations or in order to respond to your queries. You may exercise > your rights of access, correction, cancellation, portability, > limitationof processing and opposition under the terms established by > current legislation and free of charge by sending an e-mail to > d...@incibe.es. The Data Controller is S.M.E. Instituto Nacional de > Ciberseguridad de España, M.P., S.A. More information is available > on our website: https://www.incibe.es/proteccion-datos-personales > and https://www.incibe.es/registro-actividad. > > > -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
Re: [anti-abuse-wg] addtess verification (was: personal data in the RIPE Database)
Hi Angel On Tue, 7 Jun 2022 at 03:09, Ángel González Berdasco wrote: > > denis wrote: > In a previous mail you mentioned: > > When these people apply to be a member I am sure the RIPE NCC requires > > proof of identity and proof of address. > > but -being slightly more skeptic- I would like to know what kind of address > verification is performed. > > Document ripe-770 do mention the first part: > "Each agreement signed with either the RIPE NCC or with a sponsoring LIR must > be accompanied by supporting documentation proving the existence (and > validity) of the legal or natural person (see below)." > > but no mention is made of verifying the physical address. > https://www.ripe.net/publications/docs/ripe-770#111 I checked with the RIPE NCC. You are right. They do no verification at all on the address. Those attributes are maintained by the LIR. They can enter any data they like into the address fields and this can be changed at any time and as frequently as they wish. So with regard to this field Ronald is right, it can be completely false data. If this is pointed out to the RIPE NCC they will follow up and presumably ensure it is corrected. This is significant in two respects. Firstly the value of doing correlations on this unverified free text is questionable. Secondly it still needs to be taken out of the general public domain for natural persons. I am sure some will say it is not a problem as those who want to hide their true address can put false data in there. But that is the wrong approach. We should never put resource holders in a position where a solution to a problem is to lie. Also if the police need to access and use that address data they need it to be correct. So this doesn't change anything. It actually reaffirms what needs to be done. cheers denis proposal author > > Regards > > > -- > INCIBE-CERT - Spanish National CSIRT > https://www.incibe-cert.es/ > > PGP keys: https://www.incibe-cert.es/en/what-is-incibe-cert/pgp-public-keys > > > > INCIBE-CERT is the Spanish National CSIRT designated for citizens, > private law entities, other entities not included in the subjective > scope of application of the "Ley 40/2015, de 1 de octubre, de Régimen > Jurídico del Sector Público", as well as digital service providers, > operators of essential services and critical operators under the terms > of the "Real Decreto-ley 12/2018, de 7 de septiembre, de seguridad de > las redes y sistemas de información" that transposes the Directive (EU) > 2016/1148 of the European Parliament and of the Council of 6 July 2016 > concerning measures for a high common level of security of network and > information systems across the Union. > > > > In compliance with the General Data Protection Regulation of the EU > (Regulation EU 2016/679, of 27 April 2016) we inform you that your > personal and corporate data (as well as those included in attached > documents); and e-mail address, may be included in our records > for the purpose derived from legal, contractual or pre-contractual > obligations or in order to respond to your queries. You may exercise > your rights of access, correction, cancellation, portability, > limitationof processing and opposition under the terms established by > current legislation and free of charge by sending an e-mail to > d...@incibe.es. The Data Controller is S.M.E. Instituto Nacional de > Ciberseguridad de España, M.P., S.A. More information is available > on our website: https://www.incibe.es/proteccion-datos-personales > and https://www.incibe.es/registro-actividad. > > > -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
Re: [anti-abuse-wg] addtess verification (was: personal data in the RIPE Database)
denis wrote: > This defeats your own argument. You were arguing you need to know the > addresses of these natural persons so you can link separate resources > having the same address. Using the IDs of random people and drunks > from a bar will give them all different addresses. Knowing these > addresses doesn't help you in any way. Maybe they would use the address of the bar where they met the drunkard? :) Having many persons registered with that address. Or even multiple registrations whose addresses all match with pubs in Y area, would certainly be an interesting pattern worth to be discovered. Or even just a pattern of addresses not existing in that city or with no buildings. Sadly, filters designed to block obvious fake data will generally only lead malicious actors to produce better lies, not to provide their real details. In a previous mail you mentioned: > When these people apply to be a member I am sure the RIPE NCC requires proof > of identity and proof of address. but -being slightly more skeptic- I would like to know what kind of address verification is performed. Document ripe-770 do mention the first part: "Each agreement signed with either the RIPE NCC or with a sponsoring LIR must be accompanied by supporting documentation proving the existence (and validity) of the legal or natural person (see below)." but no mention is made of verifying the physical address. https://www.ripe.net/publications/docs/ripe-770#111 As for the identity proof, it suggests "Valid identification documents (e.g., identification card, passport)" I guess one might go to RIPE NCC office to show them their passport and assert that they do exist and match it. That's probably the most secure way of verification. But I doubt many people would do that (maybe, during the assembly...). Sending the passport or id card to RIPE NCC would not be be acceptable. The exact way to do that is not described there, but the model agreement says "the End User shall include a photocopy of a valid identity card." and I suspect that's what will be done on almist every case. https://www.ripe.net/manage-ips-and-asns/resource-management/number-resources/independent-resources/independent-assignment-request-and-maintenance-agreement Obviously, someone who tricked another one (drunk or not) into getting a copy of their id card could easily fulfill this requisite. Maybe those on this list that are resource holders could tell us if their physical address was ever validated by RIPE in any way? Regards -- INCIBE-CERT - Spanish National CSIRT https://www.incibe-cert.es/ PGP keys: https://www.incibe-cert.es/en/what-is-incibe-cert/pgp-public-keys INCIBE-CERT is the Spanish National CSIRT designated for citizens, private law entities, other entities not included in the subjective scope of application of the "Ley 40/2015, de 1 de octubre, de Régimen Jurídico del Sector Público", as well as digital service providers, operators of essential services and critical operators under the terms of the "Real Decreto-ley 12/2018, de 7 de septiembre, de seguridad de las redes y sistemas de información" that transposes the Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. In compliance with the General Data Protection Regulation of the EU (Regulation EU 2016/679, of 27 April 2016) we inform you that your personal and corporate data (as well as those included in attached documents); and e-mail address, may be included in our records for the purpose derived from legal, contractual or pre-contractual obligations or in order to respond to your queries. You may exercise your rights of access, correction, cancellation, portability, limitationof processing and opposition under the terms established by current legislation and free of charge by sending an e-mail to d...@incibe.es. The Data Controller is S.M.E. Instituto Nacional de Ciberseguridad de España, M.P., S.A. More information is available on our website: https://www.incibe.es/proteccion-datos-personales and https://www.incibe.es/registro-actividad. -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
