Authentication by letterhead?
Paper LOAs are unauthenticated documents, not worth the paper they are
written on. Usually FAXed, which is even less authenticatable (is that a
word?).
Prosecutors are capable of using digital documents. Do it all the time
with echecks, credit cards, ecommerce orders and ACH payments. But LOAs
are typically civil disputes, not criminal, when someone mistypes an IP
address.
They should verifiy the information in the paper LOA with a registry
anyway. Since LOAs have no intrinsic value, wouldn't be worth the
prosecutors time.
Usually a salesperson or order entry clerk thinks its required because
they've always required it. But no one in the legal department actually
knows what to do with a LOA or how to authenticate them.
Because carriers never authenticate LOAs.
On Mon, 26 Feb 2024, Matt Erculiani wrote:
A paper LOA is a legally binding document, an IRR record is an IRR record.
Falsifying an LOA that is transmitted digitally is wire fraud and can
basically be handed right over to a DA for injunction and prosecution.
Falsifying IRR records on the other hand leaves more work for the ISP's
lawyers to walk a judge (and jury) through the entire purpose and use of
that system, as opposed to "here's a super important sheet of paper that
they lied on case closed".
-Matt
On Mon, Feb 26, 2024 at 11:57 AM Seth Mattinen via NANOG <nanog@nanog.org>
wrote:
Why do companies still insist on, or deploy new systems that
rely on
paper LOA for IP and ASN resources? How can this be considered
more
trustworthy than RIR based IRR records?
And I'm not even talking about old companies, I have a situation
right
now where a VPS provider I'm using will no longer use IRR and
only
accepts new paper LOAs. In the year 2024. I don't understand how
anyone
can go backwards like that.
~Seth
--
Matt Erculiani
