Thank you Owen for your response. This is a reasonable point. I agree that some explicit accountability is achieved through attestation. I do wonder whether this too may be redundant. For instance, do other legal artifacts - especially RSA - provide enough of a framework for accountability to combat fraud?
Certainly that is not a question I would expect the community to answer, since this is rather in the purview of staff. Regards, Matthew On Thu., Jun. 23, 2022, 11:49 a.m. Owen DeLong, <[email protected]> wrote: > > > On Jun 23, 2022, at 09:06 , Matthew Wilder <[email protected]> > wrote: > > Hi Noah, et al. > > It appears that a few of you are not convinced of the problem statement > for this Draft policy. Just a reminder this is a draft policy authored by > the Policy Experience Working Group, to solve a customer experience problem > identified by staff. Also, taking off my AC hat and putting on my day job > hat for a moment - I can assure you that if you are at an organization of > significant scale and complexity - this is indeed a real problem. In the > case of qualification for transfers (8.5.5) this is a redundant step, in > practice, since significant sums of money must be approved by executives in > order to execute transfers. > > > It’s not entirely redundant… The significant sums approval doesn’t provide > the necessary nexus of evidence for ARIN to hold the officers accountable > in the event of resource fraud. > > Companies often escape prosecution by throwing lower level employees under > the bus and claiming officers had no knowledge of the action in question. > > This step prevents that from occurring in the case of ARIN resource fraud. > > So yes, while I have some limited sympathy to the problem statement, I am > in fact unconvinced that the problem requires a solution or that the > current state imposes an unnecessary burden. > > Swapping back to my AC hat now. To my mind, the introduction of officer > attestations generally helped achieve two positive outcomes. First, it > supported the principle of conservation. Second, it reduced the opportunity > for fraud. There may be other benefits obtained by the requirement for > officer attestation, and I am open to hearing everyone's perspective on > this. > > > In my opinion it never really did much for the latter, and I’m not > convinced it did much for the former, either. > > From my perspective it has always been about ensuring accountability and > making sure that an accountable corporate officer (section 16 where > applicable or equivalent elsewhere) is accountable for the actions of the > company with regard to ARIN resource registrations. I think that’s still a > valid need. > > This draft policy would do away with the need for officer attestation for > justification of transfers, but only because the market provides the same > benefits mentioned above. Would-be fraudsters on the transfer market would > now face significant cost to execute a transfer, and presumably, an > organization operating in bad faith could easily provide officer > attestation. Similarly, documentation of an overly-optimistic plan - > securing more resources than realistically needed - will mean a higher cost > to the organization bankrolling the transfer. As a result, the individuals > accountable for the organization's decisions are well aware of - and > implicitly supportive of - the plan. An officer attestation is therefore > redundant in both cases. > > > If I agreed with your understanding of the benefits of attestation, then > I’d probably agree about the market providing equivalent benefits. However, > as pointed out above, the market does NOT provide the benefit of > accountability and therefore, I think that it is still quite necessary and > does protect the interests of ARIN and the community. > > > To Noah and others who have voiced opposition - let me know if you see a > case where the officer attestation in 8.5.5 protects the interests of ARIN > and the community. > > > Yes… See above. > > Owen > > > Best regards, > Matthew > > > > On Tue, Jun 21, 2022 at 9:15 PM Noah <[email protected]> wrote: > >> >> >> On Wed, 22 Jun 2022, 04:56 ARIN, <[email protected]> wrote: >> >>> On 16 June 2022, the ARIN Advisory Council (AC) accepted "ARIN-prop-309: >>> Remove Officer Attestation Requirement for 8.5.5" as a Draft Policy. >>> >>> Draft Policy ARIN-2022-3: Remove officer attestation requirement for >>> 8.5.5 >>> >>> Problem Statement: >>> >>> Requiring an officer attestation requires unnecessary resources and >>> increases the time to complete an IPv4 transfer. >>> >>> >>> >>> Policy statement: >>> >>> >>> >>> 8.5.5. Block Size >>> >>> >>> >>> Organizations may qualify for the transfer of a larger initial block, or >>> an additional block, by providing documentation to ARIN which details the >>> use of at least 50% of the requested IPv4 block size within 24 months. >>> >>> >>> >>> Removing “An officer of the organization shall attest to the >>> documentation provided to ARIN. >>> >> Using time as an excuse does not fly. Attestation is accountability and >> enforces legitimacy. >> >> An authorized officer should not only be aware but MUST also be involved >> in attesting of documents that involve any Internet Number Resources >> transfers. >> >> We have experienced fast hand on the negative impact of Admin Contacts >> being clueless to what its that Tech contacts do. >> >> So I oppose the policy for using time as an excuse to remove an important >> process that ensures legitimacy. >> >> Noah >> >> _______________________________________________ >> ARIN-PPML >> You are receiving this message because you are subscribed to >> the ARIN Public Policy Mailing List ([email protected]). >> Unsubscribe or manage your mailing list subscription at: >> https://lists.arin.net/mailman/listinfo/arin-ppml >> Please contact [email protected] if you experience any issues. >> > > > -- > > *Matthew Wilder* > > Sr Engineer - IPv6, IP Address Management > _______________________________________________ > ARIN-PPML > You are receiving this message because you are subscribed to > the ARIN Public Policy Mailing List ([email protected]). > Unsubscribe or manage your mailing list subscription at: > https://lists.arin.net/mailman/listinfo/arin-ppml > Please contact [email protected] if you experience any issues. > > >
_______________________________________________ ARIN-PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List ([email protected]). Unsubscribe or manage your mailing list subscription at: https://lists.arin.net/mailman/listinfo/arin-ppml Please contact [email protected] if you experience any issues.
