[ppml] Policy Proposal 2007-1: Reinstatement of PGP Authentication Method
Member Services
info at arin.net
Fri Feb 16 17:48:22 EST 2007
- Previous message: [ppml] Policy Proposal: eGLOP multicast address assignments
- Next message: [ppml] Policy Proposal 2007-1: Reinstatement of PGP Authentication Method
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 15 February 2007 the ARIN Advisory Council (AC) concluded its review of 'Reinstatement of PGP Authentication Method' and accepted it as a formal policy proposal for discussion by the community. The proposal is designated Policy Proposal 2007-1: Reinstatement of PGP Authentication Method. The proposal text is below and can be found at: http://www.arin.net/policy/proposals/2007_1.html All persons in the community are encouraged to discuss Policy Proposal 2007-1 prior to it being presented at the ARIN Public Policy Meeting in San Juan, Puerto Rico, 23-24 April 2007. Both the discussion on the Public Policy Mailing List and at the Public Policy Meeting will be used to determine the community consensus regarding this policy proposal. The ARIN Internet Resource Policy Evaluation Process can be found at: http://www.arin.net/policy/irpep.html ARIN's Policy Proposal Archive can be found at: http://www.arin.net/policy/proposals/proposal_archive.html Regards, Member Services American Registry for Internet Numbers (ARIN) ## * ## Policy Proposal 2007-1: Reinstatement of PGP Authentication Method Authors: Paul Vixie, Mark Kosters, Chris Morrow, Jared Mauch, Bill Woodcock Proposal type: New Policy term: Permanent Policy statement: ADDITION TO NRPM 12 Authentication Methods 12.1 Mail-From This section intentionally left blank. 12.2 PGP ARIN accepts PGP-signed email as authentic communication from authorized Points of Contact. POCs may denote their records "crypt-auth," subsequent to which unsigned communications shall not be deemed authentic with regard to those records. 12.3 X.509 This section intentionally left blank. UPDATES TO TEMPLATES ARIN shall update templates as necessary to identify and distinguish between mail-from, PGP, and X.509 authentication methods. UPDATES TO DOCUMENTATION ARIN shall update documentation as appropriate to explain the differences between mail-from, PGP, and X.509 authentication methods. KEY USE IN COMMUNICATION: ARIN shall accept PGP-signed communications, validate that a chain of trust not longer than five steps exists between the signing key and the ARIN hostmaster role key, compare the signing key to the identity of the authorized POCs for records referenced in the correspondence, and act appropriately based upon the validity or invalidity of the signature. ARIN shall PGP-sign all outgoing hostmaster email with the hostmaster role key, and staff members may optionally also sign mail with their own individual keys. ARIN shall accept PGP-encrypted communications which are encrypted using ARIN's hostmaster public key. ARIN shall not encrypt any outgoing communications except at the prior request of the recipient. Rationale: Globally, PGP is the most commonly used cryptographic authentication method between RIRs and resource recipients who wish to protect their resource registration records against unauthorized modification. The PGP-auth authentication method is supported by RIPE, APNIC, and AfriNIC, LACNIC supports an equivalent mechanism, and PGP was historically supported by the InterNIC prior to ARIN's formation. By contrast, current ARIN resource recipients have only two options: "mail-from," which is trivially spoofed and should not be relied upon to protect important database objects, and X.509, which involves a rigorous and lengthy proof-of-identity process and compels use of a compatible MUA, a combination which has dissuaded essentially all of ARIN's constituents. Additionally, X.509's centralized failure mode is technically and ideologically repugnant to some members of the community, who should not be forced to choose between two evils. There isn't a lot of work to do here, and certainly nothing tricky. PGP is simple code, which was supported by the InterNIC, and which the other RIRs deployed without a second thought or complaint. If RIPE and APNIC have always done this, the InterNIC did it before ARIN was formed, and LACNIC and AfriNIC took the need for cryptographic security for granted as a part of their startup process, we see no reason why ARIN should be the only RIR to not offer this most basic of protections to its members. We need to get PGP support reinstated, so that our records can be protected against hijacking and vandalism, and so we won't look like idiots as the only one of the five regions that can't figure this stuff out. Timetable for implementation: Immediate
- Previous message: [ppml] Policy Proposal: eGLOP multicast address assignments
- Next message: [ppml] Policy Proposal 2007-1: Reinstatement of PGP Authentication Method
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the PPML mailing list