ARIN-PPML Message

[ppml] Policy Proposal: Reinstatement of PGP Authentication Method

I completely support this policy as written.  Well done.

Owen

On Oct 24, 2006, at 2:37 PM, Bill Woodcock wrote:

>    1. Policy Proposal Name: Reinstatement of PGP Authentication Method
>
>    2. Authors:
>
>          1. name: Paul Vixie
>          2. email: paul at vix.com
>          3. telephone: +1 650 423 1300
>          4. organization: Internet Systems Consortium
>
>          1. name: Mark Kosters
>          2. email: markk at verisignlabs.com
>          3. telephone: +1 703 948 3200
>          4. organization: Verisign
>
>          1. name: Chris Morrow
>          2. email: christopher.morrow at verizonbusiness.com
>          3. telephone: +1 703 886 3823
>          4. organization: Verizon Business/UUnet
>
>          1. name: Jared Mauch
>          2. email: jmauch at us.ntt.net
>          3. telephone: +1 214 915 1356
>          4. organization: NTT/Verio
>
>          1. name: Bill Woodcock
>          2. email: woody at pch.net
>          3. telephone: +1 415 831 3100
>          4. organization: Packet Clearing House
>
>    3. Proposal Version: 1
>
>    4. Submission Date: Tuesday, October 24, 2006
>
>    5. Proposal type: New
>
>    6. Policy term: Permanent
>
>    7. Policy statement:
>
>       ADDITION TO NRPM
>
>         3.5 Authentication Methods
>             ARIN supports three authentication methods for
>             communication with resource recipients.
>
>             3.5.1 Mail-From
>                   This section intentionally left blank.
>
>             3.5.2 PGP
>                   ARIN accepts PGP-signed email as authentic
>                   communication from authorized Points of Contact.  
> POCs
>                   may denote their records "crypt-auth," subsequent to
>                   which unsigned communications shall not be deemed
>                   authentic with regard to those records.
>
>             3.5.3 X.509
>                   This section intentionally left blank.
>
>       UPDATES TO TEMPLATES
>
>         ARIN shall include the auth-type field in request templates as
>         necessary to distinguish between cryptographic and mail-from
>         authentication methods.
>
>       UPDATES TO DOCUMENTATION
>
>         ARIN shall update documentation as appropriate, to explain the
>         differences between mail-from, PGP, and X.509 authentication
>         methods.
>
>       KEY USE IN COMMUNICATION:
>
>         ARIN shall accept PGP-signed communications, validate the
>         signature, compare it to the identity of the authorized POCs
>         for records referenced in the correspondence, and act
>         appropriately based upon the validity or invalidity of the
>         signature.
>
>         ARIN shall PGP-sign all outgoing hostmaster email with the
>         hostmaster role key, and staff members may optionally also
>         sign mail which they originate with their own individual keys.
>
>         ARIN shall accept PGP-encrypted communications
>         which are encrypted using ARIN's hostmaster public key.
>
>         ARIN shall not encrypt any outgoing communications, except by
>         explicit mutual prior agreement with the recipient.
>
>       NON-BINDING RECOMMENDED KEY MANAGEMENT PRACTICES:
>
>         It is recommended that ARIN utilize normal POC-verification
>         processes as necessary to accommodate users who lose the
>         private key or passphrase associated with the POCs for their
>         crypt-auth protected resources.
>
>         It is recommended that ARIN exercise reasonable caution in
>         preventing the proliferation of copies of the hostmaster
>         private key and passphrase.
>
>         It is recommended that ARIN print out a copy of the private  
> key
>         and passphrase, and secure them in a safe-deposit box outside
>         of ARIN's physical premises, which any two ARIN officers might
>         access in the event that the operating copy of the key is lost
>         or compromised.
>
>         It is recommended that ARIN publish the hostmaster public key
>         on the ARIN web site, in a manner similar to that of the other
>         RIRs:
>           http://lacnic.net/hostmaster-pub-key.txt
>           https://www.ripe.net/rs/pgp/ncc-pgpkey-2006.asc
>           ftp://ftp.apnic.net/pub/zones/PUBLIC_KEY
>
>         It is recommended that ARIN publish the hostmaster public key
>         by submitting it to common PGP keyservers which, among others,
>         might include:
>           pgp.mit.edu
>           www.pgp.net
>
>         It is recommended that ARIN attempt to cross-sign the
>         hostmaster PGP keys of the other four RIRs and ICANN.
>
>         It is recommended that ARIN's hostmaster public key be signed
>         by members of the ARIN board of trustees.
>
>    8. Rationale:
>
>         Globally, PGP is the most commonly used cryptographic
>         authentication method between RIRs and resource recipients who
>         wish to protect their resource registration records against
>         unauthorized modification. The PGP-auth authentication method
>         is supported by RIPE, APNIC, LACNIC, and AfriNIC, and it was
>         historically supported by the InterNIC prior to ARIN's
>         formation. By contrast, current ARIN resource recipients have
>         only two options: "mail-from," which is trivially spoofed and
>         should not be relied upon to protect important database
>         objects, and X.509, which involves a rigorous and lengthy
>         proof-of-identity process and compels use of a compatible MUA,
>         a combination which has dissuaded virtually all of ARIN's
>         constituents.
>
>         There isn't a lot of work to do here, and certainly nothing
>         tricky. The hostmaster key has existed since InterNIC days,  
> and
>         ARIN staff have verified that the key and passphrase are still
>         known and working fine. This is simple code, which all the
>         other RIRs deployed without a second thought or complaint. If
>         RIPE and APNIC have always done this, the InterNIC did it
>         before ARIN was formed, and LACNIC and AfriNIC took this for
>         granted as a part of their startup process, we see no reason
>         why ARIN should be the only RIR to not offer this most  
> basic of
>         protections to its members.
>
>         We need to get PGP support reinstated, so that our records can
>         be protected against hijacking and vandalism, and so we won't
>         look like idiots as the only one of the five regions that  
> can't
>         figure this stuff out.
>
>    9. Timetable for implementation: Immediate
>
>   10. Meeting presenter: Bill Woodcock
>
> END OF TEMPLATE
>
> _______________________________________________
> PPML mailing list
> PPML at arin.net
> http://lists.arin.net/mailman/listinfo/ppml

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.arin.net/pipermail/arin-ppml/attachments/20061024/cf9602bf/attachment.html>