On Mon, 9 Jun 2003, Christopher L. Morrow wrote:
Sorry for the latenight not-completely-operational question :) but it seems as though there is some abmiguity in the current process/procedure/rules and I'd like to atleast start some discussion on the topic.
I'm not as interested in proving something was "stolen," but how do you prove you have a "legitimate" claim? To me, the difference is important, because the record keeping is so iffy you can question almost everything. For example, NSI messed up the creation date on my domain, changing to 2002 instead of the original date. How do I prove NSI screwed up (again)? Trust Verify Remember What is the role of IANA and the regional registries? IANA/RIR are the recordkeepers. You should be able to get a "certified" history of the records for an ASN, IP address, etc. Not just the "last" owner of record, but the equivalent of a transcript of the history of an ASN, IP address, etc. showing all the changes to the records since their original allocation. "Certified" doesn't mean IANA/RIR guarantees the "ownership" or that the person is who they claim to be. Like a college transcript, the user must authorize IANA/RIR to send the transcript directly to the ISP. I would expect IANA/RIR to charge a fee for the service. What about fraudlent transfers? This is difficult, because the crooks know all the loopholes. And often make bogus legal threats to keep their operation going. They share information about ISPs, but ISPs don't share information about bad customers. Eventually I think we are going to have to do something like banks, and report when accounts are closed for cause. And I don't mean vigilante black lists, but something that follows the law like Equifax or ChexSystems. If IANA/RIR recinds a transfer, as a recordkeeper, they would notify all the ISPs which had received a "transcript" involving the individual, ASN or IP address. As we've seen, most of these people are repeat offenders. What about mistakes? Mistakes happen. That's why I would prefer more information to make a decision rather than a binary accept/reject. It may be a legitimate transaction, but IANA/ARIN/RIPE/APNIC/LACNIC's records are out of date. With a complete transcript, I may contact the previous registrant and verify the information pending the update of the registry records. What proof should IANA/RIRs accept for a transfer? History is against us. The "rules" have changed over the years. Its difficult to say what is really legitimate. How do we reclaim abandoned space before a squatter moves in? What is acceptable legal proof of transfer of "ownership" of something some people say isn't an asset? How much detective work is IANA/RIR expected to do? How much should you have to pay for IANA/RIR to do that work? When is someone going to get prosecuted? Fraud, theft, conversion, etc.