Hi,
I'm not sure there's a justifiable case for the NCC to hold copies of passports and what have you AT ALL. Or verifying the bona fides of those documents either.
Before we get lost in possible ways of determining the identity of a person let's go back to the policy text. The following text is from RIPE-452: "The intention of this policy document is to ensure that the RIPE NCC, as the intermediate manager of provider independent resource assignments to End Users, can confirm that the End User exists, continues to exist and that they continue to fulfil their obligations to comply with the original assignment conditions. This position can be ensured by the presence of either an indirect or a direct contractual link between the End User and the RIPE NCC." and "The preferred model of the RIPE community is for End Users to have contractual relationship with a sponsoring LIR instead of directly with the RIPE NCC." My personal interpretation of RIPE-452 is that an End User having a contract with a sponsoring LIR satisfies the policy. The NCC verifying that the contract is in place by asking a copy of the contract from the Sponsoring LIR seems reasonable, but the NCC requiring a copy of identification papers seems to go beyond what the policy text says. As several people have already stated the NCC cannot verify the accuracy of that copy anyway. I could make a photocopy of my sister's passport and request resources in her name, and the NCC cannot know that I don't look like the picture on the passport. Even more interesting, this example on the website of the Dutch Ministry of Internal Affairs still seems valid if you don't look too closely at the social security number :-) https://www.bprbzk.nl/Reisdocumenten/Echtheidskenmerken/Model_2011/Nederland.... Or maybe this one: http://glmb1949.webs.com/Dibujo.JPG. Google knows a lot of passports :) Looking at "Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data": that directive states that personal data must be "adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed". I think the example given above already violates the first word: 'adequate'. The NCC has no way of verifying that the copy of the ID belongs to the person requesting the resources, so the personal data is not adequate for the purpose. Only the LIR can be in the position to verify the identity of the person requesting the resources, so the NCC has no choice but to rely on the LIR to do a proper job. If the NCC cannot rely on this then maybe that part of the chain should get fixed/strengthened. The NCC having a copy of some ID only seems to provide a fake level of certainty as far as I can see... So, now, a question to the working group: as this is the address policy working group, is the current policy what we want? Should it indeed be interpreted as 'the Sponsoring LIR verifies the identity of the End User, not the NCC' or is my interpretation of the English language a bit off here? If it turns out that we do want the NCC to play an active role in verifying the identities of End Users, then we can look at how to adjust the policy to clearly state that and work together with the NCC to look for viable solutions to that problem. But I think we should first determine if there is a problem to be solved. Thanks, Sander