[ppml] Policy Proposal 2007-2 - Staff Assessment

[Member Services]

Policy Proposal 2007-2
Documentation of the Mail-From Authentication Method

ARIN Staff Assessment

The assessment of this proposal includes comments from ARIN staff and
the ARIN General Counsel. It contains analysis of procedural, legal, and
resource concerns regarding the implementation of this policy proposal
as it is currently stated. Any changes to the language of the proposal
may necessitate further analysis by staff and Counsel.

I.	Proposal

   Policy Proposal 2007-2 is available as Annex A below and at:
   http://www.arin.net/policy/proposals/2007_2.html

II.	Understanding of the proposal

   ARIN staff understands that this proposal would define mail-from as
the default authentication; it relies on the adoption of Policy Proposal
2007-1: Reinstatement of PGP Authentication Method.

III.	Issues and concerns

   A.	ARIN Staff

     1.	Mail-from is the default authentication method by which e-mail
communication is evaluated to determine authenticity of the message and
identity of the sender. It is not used to protect against "vandalism".
Even an authenticated user can vandalize, i.e. with inappropriate
comments or with ASCII art.

     2.	We recommend that a new NRPM section be created, “12.
Communications” and that 12.1 be “Authentication”. The subsequent
numbering would change appropriately.

   B.	ARIN General Counsel

     The policy as proposed poses no significant legal risks for ARIN.

IV.	Resource Impact - Minimum

The resource impact of implementing this policy is viewed as minimum.
Barring any unforeseen resource requirements, this policy could be
implemented within 90 days from the date of the ratification of the
policy by the ARIN Board of Trustees. However, implementation will
depend on the outcome of Policy Proposal 2007-1: Reinstatement of PGP
Authentication Method. Implementation would not require the acquisition
of staff personnel or equipment. It will require the following:

- Revisions to registration guidelines
- Staff Training

Respectfully submitted,

Member Services
American Registry for Internet Numbers (ARIN)


##*##


Annex A

Policy Proposal 2007-2
Documentation of the Mail-From Authentication Method

Proposal type: New

Policy term: Permanent

Policy statement:

DELETION FROM THE NRPM

12.1 Mail-From

This section intentionally left blank.

ADDITION TO THE NRPM

12.1 Mail-From

Mail-From is the default authentication method by which registration
records are protected from vandalism. If a registrant fails to designate
a more secure method, any subsequent email which bears the sender
address of an authorized Point of Contact may be deemed authentic with
regard to the registrant's records. Since it is trivial to forge a
sender address, Mail-From should not be regarded as secure. Use of
Mail-From authentication is not recommended to any registrant who has
the means to implement either of the more secure cryptographic
authentication methods.

Rationale:

This policy complements the previously-proposed "Reinstatement of PGP
Authentication Method" which introduces section 12 to the NRPM. Section
12 relates the existence of three authentication methods. Two of those,
mail-from and X.509, were preexisting but not documented within the NRPM.

This policy proposal simply seeks to provide brief documentation of the
existence of the mail-from authentication method. Because the specific
wording of the documentation may be subject to debate, and is in no way
interdependent upon the documentation of the other two methods, it is
being proposed in a separate policy, so that consensus may be more
easily reached.

Timetable for implementation: Immediate