ARIN-PPML Message

[ppml] Policy Proposal: Reinstatement of PGP Authentication Method - revised text

This proposal is in the Initial Review stage of the ARIN Internet
Resource Policy Evaluation Process. On 2 November 2006 the ARIN Advisory
Council (AC) reviewed 'Reinstatement of PGP Authentication Method
(Version 1)' and decided to work with the author to revise the text. The
author revised the text. In accordance with the ARIN Internet Resource
Policy Evaluation Process, the proposal is being posted to the ARIN
Public Policy Mailing List (PPML) and being placed on ARIN's website.

The AC will review this proposal and may decide to:

1. Accept the proposal as a formal policy proposal as it is presented;

2. Work with the author to:
      a) clarify the language or intent of the proposal;
      b) divide the proposal into two (2) or more proposals; or
      c) combine the proposal with other proposals; or,

3. Not accept the proposal as a formal policy proposal.

The AC will review this proposal at their next meeting. If the AC
accepts the proposal, then it will be posted as a formal policy proposal
to PPML and it will be presented at a Public Policy Meeting. If the AC
does not accept the proposal, then the AC will explain that decision;
and at that time the author may elect to use the petition process to
advance their proposal. If the author elects not to petition or the
petition fails, then the proposal will be closed.

The ARIN Internet Resource Policy Evaluation Process can be found at:
http://www.arin.net/policy/irpep.html

Mailing list subscription information can be found at:
http://www.arin.net/mailing_lists/index.html

Regards,

Member Services
American Registry for Internet Numbers (ARIN)


## * ##


Policy Proposal Name: Reinstatement of PGP Authentication Method

Authors

  Paul Vixie
  Mark Kosters
  Chris Morrow
  Jared Mauch
  Bill Woodcock

Proposal Version: 2

Proposal type: New

Policy term: Permanent

Policy statement:

        ADDITION TO NRPM

          12 Authentication Methods
              ARIN supports three authentication methods for
              communication with resource recipients.

              12.1 Mail-From
                    This section intentionally left blank.

              12.2 PGP
                    ARIN accepts PGP-signed email as authentic
                    communication from authorized Points of Contact. POCs
                    may denote their records "crypt-auth," subsequent to
                    which unsigned communications shall not be deemed
                    authentic with regard to those records.

              12.3 X.509
                    This section intentionally left blank.

        UPDATES TO TEMPLATES

	 ARIN shall include a field in templates as necessary to
          identify and distinguish between cryptographic and mail-from
          authentication methods, generally following the practices of
          the other RIRs.

        UPDATES TO DOCUMENTATION

	ARIN shall update documentation as appropriate, to explain the
         differences between mail-from, PGP, and X.509 authentication
         methods.

        KEY USE IN COMMUNICATION:

          ARIN shall accept PGP-signed communications, validate the
          signature, compare it to the identity of the authorized POCs
          for records referenced in the correspondence, and act
          appropriately based upon the validity or invalidity of the
          signature.

          ARIN shall PGP-sign all outgoing hostmaster email with the
          hostmaster role key, and staff members may optionally also
          sign mail which they originate with their own individual keys.

          ARIN shall accept PGP-encrypted communications
          which are encrypted using ARIN's hostmaster public key.

          ARIN shall not encrypt any outgoing communications, except by
          explicit mutual prior agreement with the recipient.

        NON-BINDING RECOMMENDED KEY MANAGEMENT PRACTICES:

          It is recommended that ARIN utilize normal POC-verification
          processes as necessary to accommodate users who lose the
          private key or passphrase associated with the POCs for their
          crypt-auth protected resources.

          It is recommended that ARIN exercise reasonable caution in
          preventing the proliferation of copies of the hostmaster
          private key and passphrase.

          It is recommended that ARIN print out a copy of the private key
          and passphrase, and secure them in a safe-deposit box outside
          of ARIN's physical premises, which any two ARIN officers might
          access in the event that the operating copy of the key is lost
          or compromised.

          It is recommended that ARIN publish the hostmaster public key
          on the ARIN web site, in a manner similar to that of the other
          RIRs:
            http://lacnic.net/hostmaster-pub-key.txt
            https://www.ripe.net/rs/pgp/ncc-pgpkey-2006.asc
            ftp://ftp.apnic.net/pub/zones/PUBLIC_KEY

          It is recommended that ARIN publish the hostmaster public key
          by submitting it to common PGP keyservers which, among others,
          might include:
            pgp.mit.edu
            www.pgp.net

          It is recommended that ARIN attempt to cross-sign the
          hostmaster PGP keys of the other four RIRs and ICANN.

          It is recommended that ARIN's hostmaster public key be signed
          by members of the ARIN board of trustees.

Rationale:

          Globally, PGP is the most commonly used cryptographic
          authentication method between RIRs and resource recipients who
          wish to protect their resource registration records against
          unauthorized modification. The PGP-auth authentication method
          is supported by RIPE, APNIC, and AfriNIC, LACNIC supports an
          equivalent mechanism, and it was historically supported by the
          InterNIC prior to ARIN's formation. By contrast, current ARIN
          resource recipients have only two options: "mail-from," which
          is trivially spoofed and should not be relied upon to protect
          important database objects, and X.509, which involves a
          rigorous and lengthy proof-of-identity process and compels use
          of a compatible MUA, a combination which has dissuaded
          essentially all of ARIN's constituents. Additionally, X.509's
          centralized failure mode is technically and ideologically
          repugnant to some members of the community, who should not be
          forced to choose between two evils.

          There isn't a lot of work to do here, and certainly nothing
          tricky. PGP is simple code, which was supported by the
          InterNIC, and which the other RIRs deployed without a second
          thought or complaint. If RIPE and APNIC have always done this,
          the InterNIC did it before ARIN was formed, and LACNIC and
          AfriNIC took the need for cryptographic security for granted as
          a part of their startup process, we see no reason why ARIN
          should be the only RIR to not offer this most basic of
          protections to its members.

          We need to get PGP support reinstated, so that our records can
          be protected against hijacking and vandalism, and so we won't
          look like idiots as the only one of the five regions that can't
          figure this stuff out.

Timetable for implementation: Immediate