From my perspective, it is not redundant unless we start requiring the RSA to be signed by a corporate officer and apply that requirement to any transfer applicant whose RSA was not already signed by a corporate officer (i.e. make them have an officer sign a new RSA).
Owen > On Jun 23, 2022, at 12:08 , Matthew Wilder <[email protected]> wrote: > > Thank you Owen for your response. > > This is a reasonable point. I agree that some explicit accountability is > achieved through attestation. I do wonder whether this too may be redundant. > For instance, do other legal artifacts - especially RSA - provide enough of a > framework for accountability to combat fraud? > > Certainly that is not a question I would expect the community to answer, > since this is rather in the purview of staff. > > Regards, > Matthew > > On Thu., Jun. 23, 2022, 11:49 a.m. Owen DeLong, <[email protected] > <mailto:[email protected]>> wrote: > > >> On Jun 23, 2022, at 09:06 , Matthew Wilder <[email protected] >> <mailto:[email protected]>> wrote: >> >> Hi Noah, et al. >> >> It appears that a few of you are not convinced of the problem statement for >> this Draft policy. Just a reminder this is a draft policy authored by the >> Policy Experience Working Group, to solve a customer experience problem >> identified by staff. Also, taking off my AC hat and putting on my day job >> hat for a moment - I can assure you that if you are at an organization of >> significant scale and complexity - this is indeed a real problem. In the >> case of qualification for transfers (8.5.5) this is a redundant step, in >> practice, since significant sums of money must be approved by executives in >> order to execute transfers. > > It’s not entirely redundant… The significant sums approval doesn’t provide > the necessary nexus of evidence for ARIN to hold the officers accountable in > the event of resource fraud. > > Companies often escape prosecution by throwing lower level employees under > the bus and claiming officers had no knowledge of the action in question. > > This step prevents that from occurring in the case of ARIN resource fraud. > > So yes, while I have some limited sympathy to the problem statement, I am in > fact unconvinced that the problem requires a solution or that the current > state imposes an unnecessary burden. > >> Swapping back to my AC hat now. To my mind, the introduction of officer >> attestations generally helped achieve two positive outcomes. First, it >> supported the principle of conservation. Second, it reduced the opportunity >> for fraud. There may be other benefits obtained by the requirement for >> officer attestation, and I am open to hearing everyone's perspective on this. > > In my opinion it never really did much for the latter, and I’m not convinced > it did much for the former, either. > > From my perspective it has always been about ensuring accountability and > making sure that an accountable corporate officer (section 16 where > applicable or equivalent elsewhere) is accountable for the actions of the > company with regard to ARIN resource registrations. I think that’s still a > valid need. > >> This draft policy would do away with the need for officer attestation for >> justification of transfers, but only because the market provides the same >> benefits mentioned above. Would-be fraudsters on the transfer market would >> now face significant cost to execute a transfer, and presumably, an >> organization operating in bad faith could easily provide officer >> attestation. Similarly, documentation of an overly-optimistic plan - >> securing more resources than realistically needed - will mean a higher cost >> to the organization bankrolling the transfer. As a result, the individuals >> accountable for the organization's decisions are well aware of - and >> implicitly supportive of - the plan. An officer attestation is therefore >> redundant in both cases. > > If I agreed with your understanding of the benefits of attestation, then I’d > probably agree about the market providing equivalent benefits. However, as > pointed out above, the market does NOT provide the benefit of accountability > and therefore, I think that it is still quite necessary and does protect the > interests of ARIN and the community. > >> >> To Noah and others who have voiced opposition - let me know if you see a >> case where the officer attestation in 8.5.5 protects the interests of ARIN >> and the community. > > Yes… See above. > > Owen > >> >> Best regards, >> Matthew >> >> >> >> On Tue, Jun 21, 2022 at 9:15 PM Noah <[email protected] >> <mailto:[email protected]>> wrote: >> >> >> On Wed, 22 Jun 2022, 04:56 ARIN, <[email protected] <mailto:[email protected]>> >> wrote: >> On 16 June 2022, the ARIN Advisory Council (AC) accepted "ARIN-prop-309: >> Remove Officer Attestation Requirement for 8.5.5" as a Draft Policy. >> >> >> Draft Policy ARIN-2022-3: Remove officer attestation requirement for 8.5.5 >> >> Problem Statement: >> >> Requiring an officer attestation requires unnecessary resources and >> increases the time to complete an IPv4 transfer. >> >> >> >> Policy statement: >> >> >> >> 8.5.5. Block Size >> >> >> >> Organizations may qualify for the transfer of a larger initial block, or an >> additional block, by providing documentation to ARIN which details the use >> of at least 50% of the requested IPv4 block size within 24 months. >> >> >> >> Removing “An officer of the organization shall attest to the documentation >> provided to ARIN. >> >> Using time as an excuse does not fly. Attestation is accountability and >> enforces legitimacy. >> >> An authorized officer should not only be aware but MUST also be involved in >> attesting of documents that involve any Internet Number Resources transfers. >> >> We have experienced fast hand on the negative impact of Admin Contacts being >> clueless to what its that Tech contacts do. >> >> So I oppose the policy for using time as an excuse to remove an important >> process that ensures legitimacy. >> >> Noah >> >> _______________________________________________ >> ARIN-PPML >> You are receiving this message because you are subscribed to >> the ARIN Public Policy Mailing List ([email protected] >> <mailto:[email protected]>). >> Unsubscribe or manage your mailing list subscription at: >> https://lists.arin.net/mailman/listinfo/arin-ppml >> <https://lists.arin.net/mailman/listinfo/arin-ppml> >> Please contact [email protected] <mailto:[email protected]> if you experience any >> issues. >> >> >> -- >> Matthew Wilder >> >> Sr Engineer - IPv6, IP Address Management >> >> _______________________________________________ >> ARIN-PPML >> You are receiving this message because you are subscribed to >> the ARIN Public Policy Mailing List ([email protected] >> <mailto:[email protected]>). >> Unsubscribe or manage your mailing list subscription at: >> https://lists.arin.net/mailman/listinfo/arin-ppml >> <https://lists.arin.net/mailman/listinfo/arin-ppml> >> Please contact [email protected] <mailto:[email protected]> if you experience any >> issues. >
_______________________________________________ ARIN-PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List ([email protected]). Unsubscribe or manage your mailing list subscription at: https://lists.arin.net/mailman/listinfo/arin-ppml Please contact [email protected] if you experience any issues.
