[ppml] Staff Comments Regarding Policy Proposal 2006-3

> I'm pretty sure that you use https, which might be complex if the
> details were all subject to your configuration.
> 
> If the interactions with the resource certificates were as
> little needing of configuration, would you be as alarmed?

My bank uses https to secure the communication channel
so that it is secret and cannot be changed by 3rd parties.
However, I still need my name, account number, secret password,
and two letters chosen randomly from another secret word before
I can gain access to the account.

So, if the resource certificate needed as little config
as a mere https session then I would be very alarmed indeed.
At least https has a HUGE userbase and an equally large
number of very smart people working to find potential
flaws. This makes me confident in https.

The userbase of any resource certification system is so
small that the only thing which will make me feel confident
in it is if it uses good old fashioned tried and true
technology. Things like good business practices, passwords,
and an https session to ARIN's web application.

Back in the early 1990's it may have been necessary for 
Internet registries to reinvent the wheel, but in the 21st
century we better learn to leverage cheap and effective
off-the-shelf technology that is widely used in other
business scenarios. 

ARIN is not an experimental lab.

Or a lab rat...

--Michael Dillon