[ppml] PPML Digest, Vol 22, Issue 26
Lou Chiorazzi
lchiorazzi at glowpoint.com
Fri Apr 13 18:47:22 EDT 2007
I've unsubscribed 5 times now. Please help.
-----Original Message-----
From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net] On Behalf Of
ppml-request at arin.net
Sent: Friday, April 13, 2007 6:46 PM
To: ppml at arin.net
Subject: PPML Digest, Vol 22, Issue 26
Send PPML mailing list submissions to
ppml at arin.net
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.arin.net/mailman/listinfo/ppml
or, via email, send a message with subject or body 'help' to
ppml-request at arin.net
You can reach the person managing the list at
ppml-owner at arin.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of PPML digest..."
Today's Topics:
1. Re: nro global policy was Re: 2007-12 - Staff Assessment
(Ray Plzak)
2. Re: Policy Proposal 2007-1 - Staff Assessment (Antonio Querubin)
3. Re: Policy Proposal 2007-1 - Staff Assessment
(michael.dillon at bt.com)
4. Re: Policy Proposal 2007-12 - Staff Assessment
(michael.dillon at bt.com)
5. Re: Policy Proposal 2007-12 - Staff Assessment (McCuine, Joe)
6. Re: Policy Proposal 2007-1 - Staff Assessment (Stephen Sprunk)
7. Re: Policy Proposal 2007-1 - Staff Assessment (Randy Bush)
----------------------------------------------------------------------
Message: 1
Date: Fri, 13 Apr 2007 15:00:51 -0400
From: Ray Plzak <plzak at arin.net>
Subject: Re: [ppml] nro global policy was Re: 2007-12 - Staff
Assessment
To: Edward Lewis <Ed.Lewis at neustar.biz>, "ppml at arin.net"
<ppml at arin.net>
Message-ID: <D7E170CA59F2F24EA64244745D01E7590227CA8436 at ex.arin.net>
Content-Type: text/plain; charset="us-ascii"
Ed,
My understanding is that the authors do not intend for this to be a
global policy which would require identical language in all regions (see
NRPM Section 10), but rather that the policy be implemented globally.
The latter allows for regional differences. What is not clear in that
regard is where the authors are willing to accept regional differences.
Ray
From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net] On Behalf Of
Edward Lewis
Sent: Friday, April 13, 2007 2:50 PM
To: ppml at arin.net
Cc: ed.lewis at neustar.biz
Subject: [ppml] nro global policy was Re: 2007-12 - Staff Assessment
At 14:22 -0400 4/13/07, Member Services wrote:
> http://www.arin.net/policy/proposals/2007_12.html
>
> 3. Author did not indicate placement. Could be put in as
new
>section 4.9 of the NRPM Section 4.9. Also, that section would need a
>heading, perhaps, "Availability of IPv4 Address Space".
The staff comment is valid and I'm not questioning that. But here is
the beginning of the global policy process instruction on the NRO
website:
#Any individual may submit a global proposal. Each RIR community must
ratify an identical version
#of the proposed policy.
How "identical?" If the policies have to be forced into the NRPM in
ARIN and whatever the equivalent is in another region, can any policy
ever meet the requirement above?
Sorry for an idle though here - this isn't a comment on the policy but
is related to this being targeted as a global policy.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-=-
Edward Lewis
+1-571-434-5468
NeuStar
Sarcasm doesn't scale.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.arin.net/pipermail/ppml/attachments/20070413/9f4c002b/attac
hment-0001.html
------------------------------
Message: 2
Date: Fri, 13 Apr 2007 09:04:27 -1000 (HST)
From: Antonio Querubin <tony at lava.net>
Subject: Re: [ppml] Policy Proposal 2007-1 - Staff Assessment
To: Member Services <info at arin.net>
Cc: ppml at arin.net
Message-ID: <Pine.BSI.4.64.0704130900200.29045 at malasada.lava.net>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
On Fri, 13 Apr 2007, Member Services wrote:
> 5. A PGP-key for hostmaster at arin.net exists on pgp.mit.edu
as well
> as other well-known PGP-key repositories. This key was set up during
> the early days of ARIN, and the passphrase for the key is, as of this
> writing, MIA. This prevents ARIN from using the key to sign anything,
> and furthermore prevents ARIN from removing the key from the key
> repositories mentioned above. Although ARIN could proceed by
generating
Just how many PGP repositories is it found on? Why not just make a call
to the operators of those repositories and having them manually remove
the
key?
Antonio Querubin
whois: AQ7-ARIN
------------------------------
Message: 3
Date: Fri, 13 Apr 2007 20:12:21 +0100
From: <michael.dillon at bt.com>
Subject: Re: [ppml] Policy Proposal 2007-1 - Staff Assessment
To: <ppml at arin.net>
Message-ID:
<D03E4899F2FB3D4C8464E8C76B3B68B0311743 at E03MVC4-UKBR.domain1.systemhost.
net>
Content-Type: text/plain; charset="US-ASCII"
> 5. A PGP-key for hostmaster at arin.net exists on
> pgp.mit.edu as well
> as other well-known PGP-key repositories. This key was set up during
> the early days of ARIN, and the passphrase for the key is, as of this
> writing, MIA. This prevents ARIN from using the key to sign anything,
> and furthermore prevents ARIN from removing the key from the key
> repositories mentioned above. Although ARIN could proceed by
> generating
> a new PGP-key, we would need to use a limited distribution mechanism
> that excludes well-known servers, since more than one key for the same
> e-mail address cannot exist in the key servers.
The solution to this is to retire the archaic and obscure term
"hostmaster" in favor of something straighforward like
"regsvcs at arin.net". Of course the old address could continue to receive
email indefinitely, but it would no longer be mentioned in any current
documents nor would it be used to send any email.
> The difficulties introduced by changing
> the well-known e-mail address of hostmaster at arin.net to some other
> address makes such a change an unattractive option.
I disagree on this point. As long as the old email address continues to
accept email, it should not be hard to change the address, just somewhat
tedious to find all occurences of it. People who intend to *CHANGE*
their processes to use PGP, will have no difficulty in changing the
email address that they use.
> 6. Currently ARIN uses two e-mail addresses,
> hostmaster at arin.net
> and reassign at arin.net, to accept e-mail. The purpose for the
> differentiation is primarily workflow-related: submissions to
> hostmaster
> are generally handled manually while submissions to reassign are
> generally able to be handled by automated software.
Not true. All mail to ARIN is handled by automated software known as a
mail server. This software makes dispatching decisions based on message
content. Why can't all email go to regsvcs at arin.net and then get
dispatched, based on SUBJECT line (or template in message body)?
Admittedly you would need to make some systems changes, but this is not
a technically difficult thing to do.
--Michael Dillon
------------------------------
Message: 4
Date: Fri, 13 Apr 2007 20:17:23 +0100
From: <michael.dillon at bt.com>
Subject: Re: [ppml] Policy Proposal 2007-12 - Staff Assessment
To: <ppml at arin.net>
Message-ID:
<D03E4899F2FB3D4C8464E8C76B3B68B0311745 at E03MVC4-UKBR.domain1.systemhost.
net>
Content-Type: text/plain; charset="US-ASCII"
> 11. If IPv4 is replaced by IPv6 then one could assume that
> organizations would return their IPv4 back to ARIN and that
> space would
> be available for reallocation. However, this policy would effectively
> preclude ARIN from reusing this returned space.
There, in a nutshell, is the biggest problem with any policy like this.
> but it proposes to do so in a way
> that may inadvertently create profound legal issues that would
> dramatically increase ARIN's potential legal liabilities.
And there is the 2nd biggest problem. Both problems kill this policy
proposal and any other similar types of proposals.
--Michael Dillon
------------------------------
Message: 5
Date: Fri, 13 Apr 2007 15:14:11 -0400
From: "McCuine, Joe" <jmccuine at scsfinancial.com>
Subject: Re: [ppml] Policy Proposal 2007-12 - Staff Assessment
To: <ppml at arin.net>
Message-ID: <8CC8036432F76B47BAD6C6E4192C0C73F0743D at scsmail.scs.corp>
Content-Type: text/plain; charset="us-ascii"
How do I get myself off of this email trail............
______________________________________
Joseph E. McCuine, CFA|COO
SCS Financial Services LLC
610 Lincoln Street|Suite 200|Waltham MA 02451
781.290.4533|781.290.4411 Fax|508.439.9371 Mobile
jmccuine at scsfinancial.com
-----Original Message-----
From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net] On Behalf Of
michael.dillon at bt.com
Sent: Friday, April 13, 2007 3:17 PM
To: ppml at arin.net
Subject: Re: [ppml] Policy Proposal 2007-12 - Staff Assessment
> 11. If IPv4 is replaced by IPv6 then one could assume that
> organizations would return their IPv4 back to ARIN and that
> space would
> be available for reallocation. However, this policy would effectively
> preclude ARIN from reusing this returned space.
There, in a nutshell, is the biggest problem with any policy like this.
> but it proposes to do so in a way
> that may inadvertently create profound legal issues that would
> dramatically increase ARIN's potential legal liabilities.
And there is the 2nd biggest problem. Both problems kill this policy
proposal and any other similar types of proposals.
--Michael Dillon
_______________________________________________
This message sent to you through the ARIN Public Policy Mailing List
(PPML at arin.net).
Manage your mailing list subscription at:
http://lists.arin.net/mailman/listinfo/ppml
------------------------------
Message: 6
Date: Fri, 13 Apr 2007 17:01:02 -0500
From: "Stephen Sprunk" <stephen at sprunk.org>
Subject: Re: [ppml] Policy Proposal 2007-1 - Staff Assessment
To: "Randy Bush" <randy at psg.com>, "Member Services" <info at arin.net>
Cc: ARIN PPML <ppml at arin.net>
Message-ID: <016c01c77e1b$ee8dddc0$3b3816ac at atlanta.polycom.com>
Content-Type: text/plain; format=flowed; charset="iso-8859-1";
reply-type=original
Thus spake "Randy Bush" <randy at psg.com>
>> 4. In the section "KEY USE IN COMMUNICATION", the
>> proposal requires validation of "a chain of trust not longer than
>> five steps" between the signing key and ARIN's hostmaster
>> role key, without regard to whether such intermediary signers
>> are ARIN POCs, or are even known to ARIN. Without direct
>> binding of the PGP key to an ARIN POC record, such
>> anonymity in the chain of trust raises serious questions about
>> how ARIN staff will know and evaluate that an e-mail from a
>> signer is authentically from the ARIN POC that the sender
>> claims to be.
>
> this is critical!
I think folks are confusing authentication with authorization here
(which is
common). The number of steps through the web of trust indicates how
much
confidence one has when authenticating a sender. It has nothing to do
with
authorizing the sender to perform a given action.
For instance, if bob at foo.com signs a key for john at bar.com, ARIN could
legitimately consider mail from john at bar.com to be authentic if ARIN
trusts
bob at foo.com. Still, ARIN would only allow john at bar.com to update
FooCorp's
records if he was a POC for FooCorp. Or is my understanding of the
proposal
wrong? I doubt that, if someone at AT&T signs a key of someone at
Verizon,
the authors intended to let Verizon modify all of AT&T's resources...
I happen to think five steps is excessive, and would like that revised
lower, but by itself that's not enough reason for me to be against this
proposal. Still, counsel's reasonable concerns about liability may
require
us to eliminate the chain of trust entirely.
>> Although ARIN could proceed by generating a new PGP-key,
>> we would need to use a limited distribution mechanism that
>> excludes well-known servers, since more than one key for the
>> same e-mail address cannot exist in the key servers.
>
> i believe that last assertion to be incorrect
I know for a fact it's incorrect; the same thing happened to me years
ago
and the keyserver network now has several different keys for me (only
one of
which I still possess).
Still, I'd expect that the keyserver operators would cooperate with
removing
ARIN's old key if contacted by non-electronic means. They might not
(er,
won't) do this for individuals, but ARIN does have standing in the
community
that warrants an exception...
Also, it's possible to have multiple email addresses attached to the
same
key, allowing hostmaser@, reassign@, and any other role addresses to use
the
same key. However, non-role addresses should not be added since they
effectively cannot be removed.
S
Stephen Sprunk "Those people who think they know everything
CCIE #3723 are a great annoyance to those of us who do."
K5SSS --Isaac Asimov
------------------------------
Message: 7
Date: Fri, 13 Apr 2007 12:45:25 -1000
From: Randy Bush <randy at psg.com>
Subject: Re: [ppml] Policy Proposal 2007-1 - Staff Assessment
To: Stephen Sprunk <stephen at sprunk.org>
Cc: ARIN PPML <ppml at arin.net>
Message-ID: <46200805.2090904 at psg.com>
Content-Type: text/plain; charset=ISO-8859-1
>>> 4. In the section "KEY USE IN COMMUNICATION", the
>>> proposal requires validation of "a chain of trust not longer than
>>> five steps" between the signing key and ARIN's hostmaster
>>> role key, without regard to whether such intermediary signers
>>> are ARIN POCs, or are even known to ARIN. Without direct
>>> binding of the PGP key to an ARIN POC record, such
>>> anonymity in the chain of trust raises serious questions about
>>> how ARIN staff will know and evaluate that an e-mail from a
>>> signer is authentically from the ARIN POC that the sender
>>> claims to be.
>>
>> this is critical!
>
> I think folks are confusing authentication with authorization here
yes. when i give my public pgp key to arin, i am saying
o you know it is i because i can sign things with the private key
which matches this public key (authentication), and
o our contract authorizes me to conduct certain classes of
transactions with arin (authorization)
if i sign joe's key wi the private key, this might give arin some warm
fuzzies that joe is joe (or not). but what it does not do is say that
joe is authorized to conduct any transactions with arin.
transitive pgp has no way of expressing what authorization is being
transferred.
randy
------------------------------
_______________________________________________
PPML mailing list
PPML at arin.net
http://lists.arin.net/mailman/listinfo/ppml
End of PPML Digest, Vol 22, Issue 26
************************************
More information about the ARIN-PPML
mailing list