[Community-Discuss] post ipv4 depletion frauds, brokers activities

ALAIN AINA aalain at trstech.net
Sat Jun 25 15:46:14 UTC 2016


> On Jun 25, 2016, at 6:22 AM, Nishal Goburdhan <nishal at controlfreak.co.za> wrote:
> 
> On 24 Jun 2016, at 21:06, Honest Ornella GANKPA wrote:
> 
>> It is quite scary actually that even the RIR is promoting such bad
>> practices on the pretense of simplicity
> 
> i disagree.
> and i’m not quite sure you see the double standard here.
> 
> you (meaning: a general user) are happy to use your user name and password, and give your credit card details (ie. real money) to the afrinic website, based simply on your acceptance of a perceived 3rd party valid certificate implying identification  

Those who do have enough trust in  what you just describe, prefer other payment mechanisms


> (it’s true;  the payment bits at my.afrinic.net don’t require more than a simple authenticated user login).

Yes, the authentication needed here  is to associate the payment to the org. the rest is more on how the payment is processed.


> that same set of authentication information, is needed to *manage* your resources - that critical thing that your network needs -  on a daily basis.
> but yet, somehow you think that this same set of validation/authentication criteria isn’t good enough for specific bits of the website?

No, here we need more and strong ones as you tried to obtain via your ticket. We all agree long ago, password-only protection is weak. 

—Alain

> i like to see evidence (proof).  it could be easily argued that, since the e-voting process was Made Simpler (tm) more people used it this year;  i don’t recall the actual numbers, but i’m told that there were *more* e-voters users this year, than last, eh?
> 
> do i wish afrinic would improve security around my.afrinic?  heck yes;  i logged ticket #249014 with afrinic in october 2014 asking for 2FA, which, i’m told is slated for sometime in 2016.  (my ticket is still open!)   i think that 2FA would be a better security deterrent than a bpki cert.  my most recent cert was copied from a laptop, put onto a memory stick and handed to me - i’m sure you can spot the obvious flaws with that .. :-)
> 
> 
>> And why isn't the community consulted when such decisions are taken?
> 
> there was a bylaw change that was done to allow electronic voting (being a new means of voting).  that required membership (not community - mild difference!) consultation.
> 
> the *mechanics* of the system, are *operational* changes.  for that, we have smart people at afrinic that know how to run systems.  we should let them do, what they are paid to do.  do they really need to get community^Wmember consensus to let folks know that they are changing their name-server software (ie. another operational change?)   :-)
> 
> —n.
> 
> _______________________________________________
> Community-Discuss mailing list
> Community-Discuss at afrinic.net
> https://lists.afrinic.net/mailman/listinfo/community-discuss




More information about the Community-Discuss mailing list