A question of due diligence....

[David_Biggins@usermgmt.com]

....   And please forgive me if I'm straying too far off-topic...

The following question arose from a contact on another list...

	"We provide an extranet for A Big Company. Because they do a lot
of work in the US, they need to block users to this site from embargoed
countries. Although there's registration, it's automated so no-one can
contact each user and ask "are you a terrorist?". So far we've come up
with two, both sh*t, solutions: 

	"1) just bounce anyone who identifies themselves as eg Iraqi at
registration. However, by the use of a little-known technique called
"lying", the Axis of Evil might just get round this. 

	"2) do a reverse DNS lookup and bounce anyone from eg .iq Unless
they don't have reverse DNS or use anonymisers (curse the pesky
evil-doers!) 

	"Neither of these are what I'd call due diligence. Anyone got
any ideas/experience in this area? 

Apart from the technical issues (and if anyone has any technical ideas
I'd welcome them off-list), there is a policy issue here.   Just what
would (say) the UK government regard as due diligence?

How does this relate to what the US gov, or US companies would regard as
doing it properly?

## dave ##