ARIN-PPML Message

[ppml] Policy Proposal 2007-1 - Last Call

Policy Proposal 2007-1
Reinstatement of PGP Authentication Method

The ARIN Advisory Council (AC), acting under the provisions of the ARIN
Internet Resource Policy Evaluation Process (IRPEP), determined that
there is community consensus in favor of the proposal and moved it to
last call. The AC made this determination at their meeting at the
conclusion of the ARIN Public Policy meeting on 24 April 2007. The Chair
of the AC reported the results of the AC meeting during the Members
Meeting. The AC Chair's report can be found at:
http://www.arin.net/meetings/minutes/ARIN_XIX/mem.html

The policy proposal text is provided below and is also available at:
http://www.arin.net/policy/proposals/2007_1.html

Comments are encouraged. All comments should be provided to
ppml at arin.net. This last call will expire at 23:59, Eastern Time, 9 May
2007.

The ARIN Internet Resource Policy Evaluation Process can be found at:
http://www.arin.net/policy/irpep.html

Regards,

Member Services
American Registry for Internet Numbers (ARIN)


##*##


Policy Proposal 2007-1
Reinstatement of PGP Authentication Method

Proposal type: New

Policy term: Permanent

Policy statement:

ADDITION TO NRPM

12 Authentication Methods

12.1 Mail-From
This section intentionally left blank.

12.2 PGP
ARIN accepts PGP-signed email as authentic communication from authorized
Points of Contact. POCs may denote their records "crypt-auth,"
subsequent to which unsigned communications shall not be deemed
authentic with regard to those records.

12.3 X.509
This section intentionally left blank.

UPDATES TO TEMPLATES

ARIN shall update templates as necessary to identify and distinguish
between mail-from, PGP, and X.509 authentication methods.

UPDATES TO DOCUMENTATION

ARIN shall update documentation as appropriate to explain the
differences between mail-from, PGP, and X.509 authentication methods.

KEY USE IN COMMUNICATION:

ARIN shall accept PGP-signed communications, validate that a chain of
trust not longer than five steps exists between the signing key and the
ARIN hostmaster role key, compare the signing key to the identity of the
authorized POCs for records referenced in the correspondence, and act
appropriately based upon the validity or invalidity of the signature.

ARIN shall PGP-sign all outgoing hostmaster email with the hostmaster
role key, and staff members may optionally also sign mail with their own
individual keys.

ARIN shall accept PGP-encrypted communications which are encrypted using
ARIN's hostmaster public key.

ARIN shall not encrypt any outgoing communications except at the prior
request of the recipient.
Policy Rationale

Rationale:

Globally, PGP is the most commonly used cryptographic authentication
method between RIRs and resource recipients who wish to protect their
resource registration records against unauthorized modification. The
PGP-auth authentication method is supported by RIPE, APNIC, and AfriNIC,
LACNIC supports an equivalent mechanism, and PGP was historically
supported by the InterNIC prior to ARIN's formation. By contrast,
current ARIN resource recipients have only two options: "mail-from,"
which is trivially spoofed and should not be relied upon to protect
important database objects, and X.509, which involves a rigorous and
lengthy proof-of-identity process and compels use of a compatible MUA, a
combination which has dissuaded essentially all of ARIN's constituents.
Additionally, X.509's centralized failure mode is technically and
ideologically repugnant to some members of the community, who should not
be forced to choose between two evils.

There isn't a lot of work to do here, and certainly nothing tricky. PGP
is simple code, which was supported by the InterNIC, and which the other
RIRs deployed without a second thought or complaint. If RIPE and APNIC
have always done this, the InterNIC did it before ARIN was formed, and
LACNIC and AfriNIC took the need for cryptographic security for granted
as a part of their startup process, we see no reason why ARIN should be
the only RIR to not offer this most basic of protections to its members.

We need to get PGP support reinstated, so that our records can be
protected against hijacking and vandalism, and so we won't look like
idiots as the only one of the five regions that can't figure this stuff out.

Timetable for implementation: Immediate