In message <c59c9c14-521e-e7f8-fb9f-51a1dcb3f757@foobar.org>, Nick Hilliard <nick@foobar.org> wrote:
Would it be feasible for the RIPE NCC to add a read-only record to org: objects which provided the date of the last due diligence check? E.g. something like
organisation: ORG-FNL99-RIPE org-name: Foo Networks Limited org-type: LIR [...] mnt-ref: RIPE-NCC-HM-MNT mnt-by: RIPE-NCC-HM-MNT abuse-c: FOO2000-RIPE created: 2019-01-01T01:01:01Z last-modified: 2019-01-01T01:01:01Z due-diligence: 2019-07-01T12:00:00Z source: RIPE
Otherwise it doesn't look like it's easy to heuristically work out whether due diligence has been carried out on a particular object or not.
I can't answer Nick's question, but I did just want to offer my take on this. Personally, my own inference/assumption when looking at records like the one above is that "vetting", however that is defined, took place on this ORG on or about the created: date and NEVER thereafter. This seems to be the way things are done in the ARIN region, as I learned the hard way. I made a fool out of myself awhile back on the ARIN Public Policy Mailing List (PPML) when I endlessly harangued John Curran (ARIN CEO) about how it came to pass that one tricky scoundrel (whose primary business name was/is "Micfo") somehow managed to create a lot of companies, each of which was... according to the relevant WHOIS records... located in a different U.S. state within which each such company had NEVER been registered. So, as I learned, according to Curran, at the time these different (fradulent) companies were initially granted (IPv4) resources, they -were- each vetted to make sure that they each existed and that they each were registered in the states they claimed to be in AT THAT TIME. If I understood Curran correctly, sometime AFTER that the WHOIS records for each of the IPv4 allocations that had been granted to each of these fake corporate entities has been FIDDLED (by the crook at the heart of this matter) to make it appear that the entities themselves were located in and/or operating in various other states where in fact, they had neither any operations nor any actual legal existance in those states. ARIN does NOT vet any of the changes that a registrant may make to his/her/its own pre-existing WHOIS records. I believe that is an accurate characterization of what Curran said on the PPML. If ARIN doesn't vet WHOIS -modifications- then I rather doubt that RIPE does so. So, except in very rare cases, I would assume that the "last vetting date" for any given RIPE WHOIS record is going to be approximately equal to the created: date. Regards, rfg