Date: Thu, 2 Mar 2000 12:17:38 -0600 From: David Nesting <david@FASTOLFE.NET> Subject: Re: "Association of Responsible Internet Providers"? To: BUGTRAQ@SECURITYFOCUS.COM I apologize for taking so long in summarizing these responses. I've been on vacation and otherwise occupied for a couple of weeks. Elias has been kind enough to set up a mailing list for future discussions about "ARIP" (or whatever descendents might arise). To subscribe, send an e-mail to email@example.com with the text "subscribe arip firstname lastname" in the body. Please send any further discussions, ideas, or replies to this mailing list. A few people mentioned NANOG <http://www.nanog.org/> and ISPF <http://www.ispf.org/>. I am in agreement that input must be solicited from these groups. I also encourage people to subscribe to Dragos Ruiu's <firstname.lastname@example.org> list for related discussions about coordinating attack responses (see list archives for details). I won't begin to respond to all of the e-mail I've received, but here are some snippets of a few responses I've received. There were lots of very interesting points made, and if I've missed yours, please feel free to post it to the ARIP list. David * despot <email@example.com> One of the downsides I see is that such a certification would provide attackers with at least some idea of which providers are irresponsible. I hadn't thought about explicitely publising a list of participating entities, though I would hope one of the conditions of membership would be a published, staffed emergency contact, and I would hate to restrict this information to members only. And of course just because a company isn't ISO certified doesn't mean it's not an exceptional company otherwise. * Seth R Arnold <firstname.lastname@example.org> There are two points of trouble I can think of -- first, if the dues are high enough, ISPs won't want to join -- profits are slim enough already for many. Second, most users don't care It would be our job to make them care. Explain to the public and press WHY membership with this organization is good for the customer and for the Internet as a whole, and eyes will start wandering to those big names that /aren't/ boasting membership. * "Aleshire Rick" <email@example.com> you are creating an elitist organization - the have vs the have nots - you cannot even begin to tackle the security of the internet if the weakest link in the chain is not a part of it!!! I agree 100%! Ideally, we should not only work on pointing out those companies that have done an excellent job, but aid everyone in working together, member or not. I'd rather not see this turn into Yet Another Security Site, so this specific task might be better left to another group. * "Mark E. Drummond" <firstname.lastname@example.org> ... this is absolutely ludicrous. "You can't be part of our clique cuz you can't afford it" ... "oh, you are loosing business because you are not certified by us? well for a small fee ...". * Arch Angel <email@example.com> The rational man would say.."Well, if he couldnt conform to the standards, then he shouldnt have opened an ISP." however, I could see a competent coorperate attorney sueing for monopolizing the internet or some other ridiculous ccharge. I don't see an organization like this to be any different from, say, ISO certification. Cheap ISP's (as in can't afford to abide by membership requirements) will continue to have their niche in the form of customers that could care less. ISP's that take the time and effort to secure their systems, networks, and who make an effort to have staff on-hand to aid their peers in tracking down abuses deserve recognition.