Historical records... what is and isn't available
I bumped my head on something unexpected a day or two ago, and I would now just like to ask a question, to find out if what I seemed to see was just a product of my own programming mistake, or if it is fact the way things were intended to be. So, true or false? The --list-versions and --show-version options are not supported for person:, role:, and mntner: records. To be clear I am *not* asking if the data returned when the --show-version option is applied to one of the types of records I've just listed is merely redacted of all personal information relating to natural persons. Rather, I am asking if I should in fact be expecting to get absolutely -nothing- back when/if I try to use --show-version on any of the aforementioned record types, regadless of of whether the requested historical information contains 100% personal information or alternatively, if it contains 0% personal information, or anything in between. Regards, rfg
Hi Ronald True...historical versions of these objects are not available in any form for privacy and security reasons. Personally I don't think MNTNER objects should be visible at all to the public. I don't know of any other service on the internet where details of how you secure your data are open to the public. Being able to query for someone else's MNTNER object is a throw back to the days when only nice people used the internet :) cheers denis co-chair DB-WG On Wed, 2 Dec 2020 at 23:25, Ronald F. Guilmette via db-wg <db-wg@ripe.net> wrote:
I bumped my head on something unexpected a day or two ago, and I would now just like to ask a question, to find out if what I seemed to see was just a product of my own programming mistake, or if it is fact the way things were intended to be.
So, true or false? The --list-versions and --show-version options are not supported for person:, role:, and mntner: records.
To be clear I am *not* asking if the data returned when the --show-version option is applied to one of the types of records I've just listed is merely redacted of all personal information relating to natural persons. Rather, I am asking if I should in fact be expecting to get absolutely -nothing- back when/if I try to use --show-version on any of the aforementioned record types, regadless of of whether the requested historical information contains 100% personal information or alternatively, if it contains 0% personal information, or anything in between.
Regards, rfg
In message <CAKvLzuG3=02CKO3mHywUvLX1MKEOM=hOfgRROku8uOxsJLKFbg@mail.gmail.com>, denis walker <ripedenis@gmail.com> wrote:
True...historical versions of these objects are not available in any form for privacy and security reasons.
Ok, so, two questions: 1) Is that based on community policy, or on internal RIPE NCC policy? 2) What are these "privacy and security reasons", exactly?
Personally I don't think MNTNER objects should be visible at all to the public. I don't know of any other service on the internet where details of how you secure your data are open to the public.
As a privately held corporate entity, RIPE is certainly free to hide as much of this data as it wants. Even non-profit entities are not obliged to make all of their internal documents public. In fact, I personally am not aware of any -legal- requirement for RIPE to publish any WHOIS data *at all*. And it could obviously be argued that publishing absolutely -zero- WHOIS data to the public at large would be maximally consistant with the goals of "privacy and security". That *is* the logical endpoint of the value system that places "privacy and security" above all other considerations. Let's cut to the chase here. I'll start the ball rolling, and Denis can support or not support the following propoal as he sees fit... Be it proposed that starting from January 1, 2021, public access to the RIPE WHOIS data base shall be terminated, and after that date only RIPE NCC staff members shall have access to any information contained within the RIPE data base. Alternatively, starting from January 1, 2021, public access to the RIPE WHOIS data base shall be terminated, but the data will still be available, with all names of companies and individuals being redacted, only to dues-paying RIPE members. The above proposals are maximally consistant with both GDPR and also with the twin overriding goals of privacy and security. Can I get a second for my proposal? Regards, rfg
Ronald, On 03/12/2020 22.57, Ronald F. Guilmette via db-wg wrote:
Let's cut to the chase here. I'll start the ball rolling, and Denis can support or not support the following propoal as he sees fit...
Be it proposed that starting from January 1, 2021, public access to the RIPE WHOIS data base shall be terminated, and after that date only RIPE NCC staff members shall have access to any information contained within the RIPE data base.
Alternatively, starting from January 1, 2021, public access to the RIPE WHOIS data base shall be terminated, but the data will still be available, with all names of companies and individuals being redacted, only to dues-paying RIPE members.
The above proposals are maximally consistant with both GDPR and also with the twin overriding goals of privacy and security.
Can I get a second for my proposal?
One missing bit of this proposal is organizations who *want* their network information visible to other network operators. Back when we used phone books there were people who wanted their name and phone number published... sometimes including their physical address... and some people who did not. So I would not be terribly sad with the 2nd version if allowed an opt-in clause. Also, the RIPE PDP (Policy Development Process) does not allow for such a quick timeframe, so best to leave the date off at least until the RIPE NCC has completed their feasibility assessment. So maybe a version which looks like this: By default, the RIPE Whois Database will only return whether number resources are allocated or not in the public view. RIPE NCC members may opt to publish additional information in the public view of the database. RIPE NCC members will also be able to access contact information and other meta-data (such as date of allocation) of other members in a private view of the database. Cheers, -- Shane
HI Shane On Fri, 4 Dec 2020 at 09:52, Shane Kerr via db-wg <db-wg@ripe.net> wrote:
Ronald,
On 03/12/2020 22.57, Ronald F. Guilmette via db-wg wrote:
Let's cut to the chase here. I'll start the ball rolling, and Denis can support or not support the following propoal as he sees fit...
Be it proposed that starting from January 1, 2021, public access to the RIPE WHOIS data base shall be terminated, and after that date only RIPE NCC staff members shall have access to any information contained within the RIPE data base.
Alternatively, starting from January 1, 2021, public access to the RIPE WHOIS data base shall be terminated, but the data will still be available, with all names of companies and individuals being redacted, only to dues-paying RIPE members.
The above proposals are maximally consistant with both GDPR and also with the twin overriding goals of privacy and security.
Can I get a second for my proposal?
One missing bit of this proposal is organizations who *want* their network information visible to other network operators. Back when we used phone books there were people who wanted their name and phone number published... sometimes including their physical address... and some people who did not. So I would not be terribly sad with the 2nd version if allowed an opt-in clause.
Also, the RIPE PDP (Policy Development Process) does not allow for such a quick timeframe, so best to leave the date off at least until the RIPE NCC has completed their feasibility assessment.
So maybe a version which looks like this:
By default, the RIPE Whois Database will only return whether number resources are allocated or not in the public view. RIPE NCC members may opt to publish additional information in the public view of the database. RIPE NCC members will also be able to access contact information and other meta-data (such as date of allocation) of other members in a private view of the database.
This circumvents the (accepted) purpose of the RIPE Database as a 'public registry' of who is responsible for Internet resources...even though this is not listed as one of the purposes. (Maybe the TF should add this as a purpose...) cheers denis co-chair DB-WG
Cheers,
-- Shane
This circumvents the (accepted) purpose of the RIPE Database as a 'public registry' of who is responsible for Internet resources.
thank you randy
+1 on this. Even though it might not be one of its primary intentions, the RIPE Database has been, and still is, an invaluable source of information for various open-access research projects. Best regards, Lars On 04.12.20 17:41, Randy Bush via db-wg wrote:
This circumvents the (accepted) purpose of the RIPE Database as a 'public registry' of who is responsible for Internet resources. thank you
randy
On 3 Dec 2020, at 21:57, Ronald F. Guilmette via db-wg wrote:
As a privately held corporate entity, RIPE is certainly free to hide as much of this data as it wants.
I think you may mean “ … corporate entity, the RIPE NCC …”. RIPE is not a corporate entity, but a community. As far as I am aware, this community has no legal personality. Best regards, Niall O’Reilly RIPE Vice-Chair
Denis, On 02/12/2020 23.39, denis walker via db-wg wrote:
Personally I don't think MNTNER objects should be visible at all to the public. I don't know of any other service on the internet where details of how you secure your data are open to the public. Being able to query for someone else's MNTNER object is a throw back to the days when only nice people used the internet :)
My understanding of why MNTNER is public is quite different. Many years ago (like 19 or 20 years ago) I was told that the RIPE Database was completely open because of the benefits that transparency brings. Among these were: * Not having to trust that the RIPE NCC was properly managing the data. No data leaks are possible if all data is published at the start! * Being able to make a copy of the database and have the entire public registry available for archive or backup purposes (for example if Holland was flooded and all RIPE NCC servers were destroyed). If I recall correctly two main factors changed this philosophy: 1. Publishing encrypted passwords using CRYPT-PW was vulnerable to brute force attacks, and even when updated to MD5-PW still vulnerable to dictionary attacks. 2. PERSON objects became a huge privacy problem as more and more contact data was published for people who had never even heard of RIPE. As far as I know there is no suggestion that this complete openness is a good idea today. Certainly I don't remember this being raised in the RIPE Database Requirements Task Force discussions - quite the opposite! There is a strong desire to collect and publish the minimum amount of data possible. As for whether MNTNER objects should be public... I always felt that the MNTNER concept conflated authentication and authorization and identity, and really the world would be better off without it. When I was looking at the requirements for the ARIN database back in the 20th century I proposed that authentication should always be tied to a human being, since any access to a database was always done on behalf of a person (even when done via an automated tool). Authorization should proceed based on role-based access controls (RBAC). At the time there was not a strong privacy requirement (and since ARIN is in the USA probably there still is no strong privacy requirement), so the idea was to collect a complete history of all changes for all time, allowing audits and rollback. Today I'd probably propose that policy for historical data be a first class object that was something that could be tweaked by users within system-defined limits. Cheers, -- Shane
HI Shane On Fri, 4 Dec 2020 at 09:39, Shane Kerr via db-wg <db-wg@ripe.net> wrote:
Denis,
On 02/12/2020 23.39, denis walker via db-wg wrote:
Personally I don't think MNTNER objects should be visible at all to the public. I don't know of any other service on the internet where details of how you secure your data are open to the public. Being able to query for someone else's MNTNER object is a throw back to the days when only nice people used the internet :)
My understanding of why MNTNER is public is quite different. Many years ago (like 19 or 20 years ago) I was told that the RIPE Database was completely open because of the benefits that transparency brings. Among these were:
* Not having to trust that the RIPE NCC was properly managing the data. No data leaks are possible if all data is published at the start!
* Being able to make a copy of the database and have the entire public registry available for archive or backup purposes (for example if Holland was flooded and all RIPE NCC servers were destroyed).
I think historically you are right. I remember the phrase being banded about "everything in the RIPE Database is public". (A bit like "no one owns an IP address"). But times change :)
If I recall correctly two main factors changed this philosophy:
1. Publishing encrypted passwords using CRYPT-PW was vulnerable to brute force attacks, and even when updated to MD5-PW still vulnerable to dictionary attacks.
2. PERSON objects became a huge privacy problem as more and more contact data was published for people who had never even heard of RIPE.
As far as I know there is no suggestion that this complete openness is a good idea today. Certainly I don't remember this being raised in the RIPE Database Requirements Task Force discussions - quite the opposite! There is a strong desire to collect and publish the minimum amount of data possible.
I did raise the issue with the TF about some parts of the RIPE Database not being public.
As for whether MNTNER objects should be public... I always felt that the MNTNER concept conflated authentication and authorization and identity, and really the world would be better off without it.
When I was looking at the requirements for the ARIN database back in the 20th century I proposed that authentication should always be tied to a human being, since any access to a database was always done on behalf of a person (even when done via an automated tool). Authorization should proceed based on role-based access controls (RBAC). At the time there was not a strong privacy requirement (and since ARIN is in the USA probably there still is no strong privacy requirement), so the idea was to collect a complete history of all changes for all time, allowing audits and rollback. Today I'd probably propose that policy for historical data be a first class object that was something that could be tweaked by users within system-defined limits.
I totally agree with you on this. I did propose this idea many years ago but no one was interested then...but again, times change... cheers denis co-chair DB-WG
Cheers,
-- Shane
participants (6)
-
denis walker -
Lars Prehn -
Niall O'Reilly -
Randy Bush -
Ronald F. Guilmette -
Shane Kerr