Hi Ronald, Please see replies below. On Wed, Jul 20, 2022 at 4:52 AM Ronald F. Guilmette via db-wg <db-wg@ripe.net> wrote:
In message <CAKvLzuFZDSk11aW=j0ufpNs5i+-2bmDHFkJ7pQfaUu-nhhEiFQ@mail.gmail.com> denis walker <ripedenis@gmail.com> wrote:
During the conversion we had some time ago about contacts we concluded that no one is going to visit a contact or post them a letter.
No, "we" didn't. Unless you are using the term "we" here in the royal sense.
The IRT object also had a mandatory address attribute that is defined in the documentation as:
"This is a full postal address for the business contact represented by this irt object."
Does anyone think we actually need a postal address for a contact for a CSIRT team?
Yes. I do.
You haven't yet answered _any_ of the fundamental questions I've asked about your ongoing efforts to hide information, to wit:
*) Other than you and Cynthia, who is asking for and/or demanding these various deliberate obfuscation steps?
It might mostly be me and Denis advocating for this policy change, however there hasn't been a lot of people active on the db-wg lately in any discussions. Additionally I have only seen you and one other person primarily argue against this proposal. I seem to recall some people being supportive to this idea at RIPE84 but I do not remember the details so take that with a grain of salt.
*) Why is the hiding of information even a priority?
Hiding information is good from a privacy standpoint so you have to weigh the benefit of having the data public against the privacy implications of publishing it. (and consider any potential legal issues/requirements)
*) What is the plan? Who is going to do the work, when, and what is the cost?
The implementation details would be discussed later as Denis has said, however obviously it would be the RIPE NCC that would do the work of actually implementing it.
*) Are these deliberate obfsucation steps still being justified on the basis of GDPR, or do you now accept as fact that GDPR is irrelevant in the context of the RIPE data base, and that it does not currently compel RIPE to make any changes to the public WHOIS data base whatsoever?
Denis has already mentioned in an email regarding 2022-01 that he will not address any more GDPR issues until there has been a legal review as many of us are not lawyers. While I can't speak for Denis, you have not convinced me that GDPR is somehow irrelevant in the context of personal data but I also don't want to discuss it further until the NCC legal team has done their legal review.
*) If the goal is to hide information, then why not just take the entire RIPE WHOIS data base offline and hide the whole thing behind some sort of permission-wall that can only be pierced with a legal warrant?
(That last question is, of course, the essential point, since that endpoint seems rather clearly to be the direction in which this is all headed.)
This question is not really an "essential point" in my opinion as there is a big difference between hiding postal addresses and hiding abuse email addresses and route(6) objects. I would argue that a postal address is very rarely needed in the context of networks while abuse email addresses and route(6) objects are important to the operation of many networks.
Regards, rfg
P.S. I really don't care if I am the only one on this mailing list who is representing the interests of law enforcement and legitimate security researchers, or if I have to endure the slings and arrows that come with that. It's a tough job, but somebody has to push back against all of these subtle incremental efforts to hide the WHOIS by chipping away at it, little by little.
-Cynthia