[ppml] Policy Proposal: Reinstatement of PGP Authentication Method
Member Services
info at arin.net
Tue Nov 21 16:14:32 EST 2006
- Previous message: [ppml] 2006-7 IPV6 Initial Allocation suggested changes- InputRequested
- Next message: [ppml] Policy Proposal: Documentation of the Mail-From Authentication Method
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 2 November 2006 the ARIN Advisory Council (AC) reviewed Reinstatement of PGP Authentication Method and did not accept it at this time as a formal policy proposal. The AC will work with the author to revise the text prior to taking further action. The proposal text is below and can be found at: http://www.arin.net/policy/proposals/submission_archive.html The ARIN Internet Resource Policy Evaluation Process can be found at: http://www.arin.net/policy/irpep.html Regards, Member Services American Registry for Internet Numbers (ARIN) Member Services wrote: > ARIN received the following policy proposal. In accordance with the ARIN > Internet Resource Policy Evaluation Process, the proposal is being > posted to the ARIN Public Policy Mailing List (PPML) and being placed on > ARIN's website. > > The ARIN Advisory Council (AC) will review this proposal and may decide to: > > 1. Accept the proposal as a formal policy proposal as it is presented; > 2. Work with the author to: > a) clarify the language or intent of the proposal; > b) divide the proposal into two (2) or more proposals; or > c) combine the proposal with other proposals; or, 3. Not accept the > proposal as a formal policy proposal. > > This proposal was received within 10 days of the next scheduled meeting > of the ARIN Advisory Council; the review period may be extended to the > regularly scheduled meeting that occurs after the upcoming meeting. > > If the AC accepts the proposal or reaches an agreement with the author, > then the proposal will be posted as a formal policy proposal to PPML and > it will be presented at a Public Policy Meeting. If the AC does not > accept the proposal or can not reach an agreement with the author, then > the AC will notify the community of their decision with an explanation; > at that time the author may elect to use the petition process to advance > their proposal. If the author elects not to petition or the petition > fails, then the proposal will be considered closed. > > The ARIN Internet Resource Policy Evaluation Process can be found at: > http://www.arin.net/policy/irpep.html > > Mailing list subscription information can be found at: > http://www.arin.net/mailing_lists/index.html > > Regards, > > Member Services > American Registry for Internet Numbers (ARIN) > > > ## * ## > > > Policy Proposal Name: Reinstatement of PGP Authentication Method > > Authors: > Paul Vixie > Mark Kosters > Chris Morrow > Jared Mauch > Bill Woodcock > > Submission Date: Tuesday, October 24, 2006 > > Proposal type: New > > Policy term: Permanent > > Policy statement: > > ADDITION TO NRPM > > 3.5 Authentication Methods > ARIN supports three authentication methods for > communication with resource recipients. > > 3.5.1 Mail-From > This section intentionally left blank. > > 3.5.2 PGP > ARIN accepts PGP-signed email as authentic > communication from authorized Points of Contact. POCs > may denote their records "crypt-auth," subsequent to > which unsigned communications shall not be deemed > authentic with regard to those records. > > 3.5.3 X.509 > This section intentionally left blank. > > UPDATES TO TEMPLATES > > ARIN shall include the auth-type field in request templates as > necessary to distinguish between cryptographic and mail-from > authentication methods. > > UPDATES TO DOCUMENTATION > > ARIN shall update documentation as appropriate, to explain the > differences between mail-from, PGP, and X.509 authentication > methods. > > KEY USE IN COMMUNICATION: > > ARIN shall accept PGP-signed communications, validate the > signature, compare it to the identity of the authorized POCs > for records referenced in the correspondence, and act > appropriately based upon the validity or invalidity of the > signature. > > ARIN shall PGP-sign all outgoing hostmaster email with the > hostmaster role key, and staff members may optionally also > sign mail which they originate with their own individual keys. > > ARIN shall accept PGP-encrypted communications > which are encrypted using ARIN's hostmaster public key. > > ARIN shall not encrypt any outgoing communications, except by > explicit mutual prior agreement with the recipient. > > NON-BINDING RECOMMENDED KEY MANAGEMENT PRACTICES: > > It is recommended that ARIN utilize normal POC-verification > processes as necessary to accommodate users who lose the > private key or passphrase associated with the POCs for their > crypt-auth protected resources. > > It is recommended that ARIN exercise reasonable caution in > preventing the proliferation of copies of the hostmaster > private key and passphrase. > > It is recommended that ARIN print out a copy of the private key > and passphrase, and secure them in a safe-deposit box outside > of ARIN's physical premises, which any two ARIN officers might > access in the event that the operating copy of the key is lost > or compromised. > > It is recommended that ARIN publish the hostmaster public key > on the ARIN web site, in a manner similar to that of the other > RIRs: > http://lacnic.net/hostmaster-pub-key.txt > https://www.ripe.net/rs/pgp/ncc-pgpkey-2006.asc > ftp://ftp.apnic.net/pub/zones/PUBLIC_KEY > > It is recommended that ARIN publish the hostmaster public key > by submitting it to common PGP keyservers which, among others, > might include: > pgp.mit.edu > www.pgp.net > > It is recommended that ARIN attempt to cross-sign the > hostmaster PGP keys of the other four RIRs and ICANN. > > It is recommended that ARIN's hostmaster public key be signed > by members of the ARIN board of trustees. > > Rationale: > > Globally, PGP is the most commonly used cryptographic > authentication method between RIRs and resource recipients who > wish to protect their resource registration records against > unauthorized modification. The PGP-auth authentication method > is supported by RIPE, APNIC, LACNIC, and AfriNIC, and it was > historically supported by the InterNIC prior to ARIN's > formation. By contrast, current ARIN resource recipients have > only two options: "mail-from," which is trivially spoofed and > should not be relied upon to protect important database > objects, and X.509, which involves a rigorous and lengthy > proof-of-identity process and compels use of a compatible MUA, > a combination which has dissuaded virtually all of ARIN's > constituents. > > There isn't a lot of work to do here, and certainly nothing > tricky. The hostmaster key has existed since InterNIC days, and > ARIN staff have verified that the key and passphrase are still > known and working fine. This is simple code, which all the > other RIRs deployed without a second thought or complaint. If > RIPE and APNIC have always done this, the InterNIC did it > before ARIN was formed, and LACNIC and AfriNIC took this for > granted as a part of their startup process, we see no reason > why ARIN should be the only RIR to not offer this most basic of > protections to its members. > > We need to get PGP support reinstated, so that our records can > be protected against hijacking and vandalism, and so we won't > look like idiots as the only one of the five regions that can't > figure this stuff out. > > Timetable for implementation: Immediate > > > _______________________________________________ > PPML mailing list > PPML at arin.net > http://lists.arin.net/mailman/listinfo/ppml >
- Previous message: [ppml] 2006-7 IPV6 Initial Allocation suggested changes- InputRequested
- Next message: [ppml] Policy Proposal: Documentation of the Mail-From Authentication Method
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the PPML mailing list