ARIN-PPML Message

[ppml] Policy Proposal: Documentation of the Mail-From Authentication Method - revised text

This proposal is in the Initial Review stage of the ARIN Internet
Resource Policy Evaluation Process. On 2 November 2006 the ARIN Advisory
Council (AC) reviewed 'Documentation of the Mail-From Authentication
Method (Version 1)' and decided to work with the author to revise the
text. The author revised the text. In accordance with the ARIN Internet
Resource Policy Evaluation Process, the proposal is being posted to the
ARIN Public Policy Mailing List (PPML) and being placed on ARIN's website.

The AC will review this proposal and may decide to:

1. Accept the proposal as a formal policy proposal as it is presented;

2. Work with the author to:
      a) clarify the language or intent of the proposal;
      b) divide the proposal into two (2) or more proposals; or
      c) combine the proposal with other proposals; or,

3. Not accept the proposal as a formal policy proposal.

The AC will review this proposal at their next meeting. If the AC
accepts the proposal, then it will be posted as a formal policy proposal
to PPML and it will be presented at a Public Policy Meeting. If the AC
does not accept the proposal, then the AC will explain that decision;
and at that time the author may elect to use the petition process to
advance their proposal. If the author elects not to petition or the
petition fails, then the proposal will be closed.

The ARIN Internet Resource Policy Evaluation Process can be found at:
http://www.arin.net/policy/irpep.html

Mailing list subscription information can be found at:
http://www.arin.net/mailing_lists/index.html

Regards,

Member Services
American Registry for Internet Numbers (ARIN)


## * ##


Policy Proposal Name: Documentation of the Mail-From Authentication Method

Authors

  Paul Vixie
  Mark Kosters
  Chris Morrow
  Jared Mauch
  Bill Woodcock

Proposal Version: 2

Proposal type: New

Policy term: Permanent

Policy statement:

        DELETION FROM THE NRPM

           12.1 Mail-From
                 This section intentionally left blank.

        ADDITION TO THE NRPM

           12.1 Mail-From
                 Mail-From is the default authentication method by which
                 registration records are protected from vandalism. If a
                 registrant fails to designate a more secure method, any
                 subsequent email which bears the sender address of an
                 authorized Point of Contact may be deemed authentic with
                 regard to the registrant's records. Since it is trivial
                 to forge a sender address, Mail-From should not be
                 regarded as secure. Use of Mail-From authentication is
                 not recommended to any registrant who has the means to
                 implement either of the more secure cryptographic
                 authentication methods.
		
Rationale:

        This policy complements the previously-proposed "Reinstatement of
        PGP Authentication Method" which introduces section 12 to the
        NRPM. Section 12 relates the existence of three authentication
        methods. Two of those, mail-from and X.509, were preexisting but
        not documented within the NRPM.

        This policy proposal simply seeks to provide brief documentation
        of the existence of the mail-from authentication method. Because
        the specific wording of the documentation may be subject to
        debate, and is in no way interdependent upon the documentation of
        the other two methods, it is being proposed in a separate policy,
        so that consensus may be more easily reached.

Timetable for implementation: Immediate