From info at arin.net Tue Nov 21 16:14:32 2006 From: info at arin.net (Member Services) Date: Tue, 21 Nov 2006 16:14:32 -0500 Subject: Policy Proposal: Reinstatement of PGP Authentication Method In-Reply-To: <453F67ED.3020306@arin.net> References: <82A5AA4A-2843-40A0-94F6-80B2D800A65F@pch.net> <453F67ED.3020306@arin.net> Message-ID: <45636C38.5000309@arin.net> On 2 November 2006 the ARIN Advisory Council (AC) reviewed Reinstatement of PGP Authentication Method and did not accept it at this time as a formal policy proposal. The AC will work with the author to revise the text prior to taking further action. The proposal text is below and can be found at: http://www.arin.net/policy/proposals/submission_archive.html The ARIN Internet Resource Policy Evaluation Process can be found at: http://www.arin.net/policy/irpep.html Regards, Member Services American Registry for Internet Numbers (ARIN) Member Services wrote: > ARIN received the following policy proposal. In accordance with the ARIN > Internet Resource Policy Evaluation Process, the proposal is being > posted to the ARIN Public Policy Mailing List (PPML) and being placed on > ARIN's website. > > The ARIN Advisory Council (AC) will review this proposal and may decide to: > > 1. Accept the proposal as a formal policy proposal as it is presented; > 2. Work with the author to: > a) clarify the language or intent of the proposal; > b) divide the proposal into two (2) or more proposals; or > c) combine the proposal with other proposals; or, 3. Not accept the > proposal as a formal policy proposal. > > This proposal was received within 10 days of the next scheduled meeting > of the ARIN Advisory Council; the review period may be extended to the > regularly scheduled meeting that occurs after the upcoming meeting. > > If the AC accepts the proposal or reaches an agreement with the author, > then the proposal will be posted as a formal policy proposal to PPML and > it will be presented at a Public Policy Meeting. If the AC does not > accept the proposal or can not reach an agreement with the author, then > the AC will notify the community of their decision with an explanation; > at that time the author may elect to use the petition process to advance > their proposal. If the author elects not to petition or the petition > fails, then the proposal will be considered closed. > > The ARIN Internet Resource Policy Evaluation Process can be found at: > http://www.arin.net/policy/irpep.html > > Mailing list subscription information can be found at: > http://www.arin.net/mailing_lists/index.html > > Regards, > > Member Services > American Registry for Internet Numbers (ARIN) > > > ## * ## > > > Policy Proposal Name: Reinstatement of PGP Authentication Method > > Authors: > Paul Vixie > Mark Kosters > Chris Morrow > Jared Mauch > Bill Woodcock > > Submission Date: Tuesday, October 24, 2006 > > Proposal type: New > > Policy term: Permanent > > Policy statement: > > ADDITION TO NRPM > > 3.5 Authentication Methods > ARIN supports three authentication methods for > communication with resource recipients. > > 3.5.1 Mail-From > This section intentionally left blank. > > 3.5.2 PGP > ARIN accepts PGP-signed email as authentic > communication from authorized Points of Contact. POCs > may denote their records "crypt-auth," subsequent to > which unsigned communications shall not be deemed > authentic with regard to those records. > > 3.5.3 X.509 > This section intentionally left blank. > > UPDATES TO TEMPLATES > > ARIN shall include the auth-type field in request templates as > necessary to distinguish between cryptographic and mail-from > authentication methods. > > UPDATES TO DOCUMENTATION > > ARIN shall update documentation as appropriate, to explain the > differences between mail-from, PGP, and X.509 authentication > methods. > > KEY USE IN COMMUNICATION: > > ARIN shall accept PGP-signed communications, validate the > signature, compare it to the identity of the authorized POCs > for records referenced in the correspondence, and act > appropriately based upon the validity or invalidity of the > signature. > > ARIN shall PGP-sign all outgoing hostmaster email with the > hostmaster role key, and staff members may optionally also > sign mail which they originate with their own individual keys. > > ARIN shall accept PGP-encrypted communications > which are encrypted using ARIN's hostmaster public key. > > ARIN shall not encrypt any outgoing communications, except by > explicit mutual prior agreement with the recipient. > > NON-BINDING RECOMMENDED KEY MANAGEMENT PRACTICES: > > It is recommended that ARIN utilize normal POC-verification > processes as necessary to accommodate users who lose the > private key or passphrase associated with the POCs for their > crypt-auth protected resources. > > It is recommended that ARIN exercise reasonable caution in > preventing the proliferation of copies of the hostmaster > private key and passphrase. > > It is recommended that ARIN print out a copy of the private key > and passphrase, and secure them in a safe-deposit box outside > of ARIN's physical premises, which any two ARIN officers might > access in the event that the operating copy of the key is lost > or compromised. > > It is recommended that ARIN publish the hostmaster public key > on the ARIN web site, in a manner similar to that of the other > RIRs: > http://lacnic.net/hostmaster-pub-key.txt > https://www.ripe.net/rs/pgp/ncc-pgpkey-2006.asc > ftp://ftp.apnic.net/pub/zones/PUBLIC_KEY > > It is recommended that ARIN publish the hostmaster public key > by submitting it to common PGP keyservers which, among others, > might include: > pgp.mit.edu > www.pgp.net > > It is recommended that ARIN attempt to cross-sign the > hostmaster PGP keys of the other four RIRs and ICANN. > > It is recommended that ARIN's hostmaster public key be signed > by members of the ARIN board of trustees. > > Rationale: > > Globally, PGP is the most commonly used cryptographic > authentication method between RIRs and resource recipients who > wish to protect their resource registration records against > unauthorized modification. The PGP-auth authentication method > is supported by RIPE, APNIC, LACNIC, and AfriNIC, and it was > historically supported by the InterNIC prior to ARIN's > formation. By contrast, current ARIN resource recipients have > only two options: "mail-from," which is trivially spoofed and > should not be relied upon to protect important database > objects, and X.509, which involves a rigorous and lengthy > proof-of-identity process and compels use of a compatible MUA, > a combination which has dissuaded virtually all of ARIN's > constituents. > > There isn't a lot of work to do here, and certainly nothing > tricky. The hostmaster key has existed since InterNIC days, and > ARIN staff have verified that the key and passphrase are still > known and working fine. This is simple code, which all the > other RIRs deployed without a second thought or complaint. If > RIPE and APNIC have always done this, the InterNIC did it > before ARIN was formed, and LACNIC and AfriNIC took this for > granted as a part of their startup process, we see no reason > why ARIN should be the only RIR to not offer this most basic of > protections to its members. > > We need to get PGP support reinstated, so that our records can > be protected against hijacking and vandalism, and so we won't > look like idiots as the only one of the five regions that can't > figure this stuff out. > > Timetable for implementation: Immediate > > > _______________________________________________ > PPML mailing list > PPML at arin.net > http://lists.arin.net/mailman/listinfo/ppml > From info at arin.net Tue Nov 21 16:15:21 2006 From: info at arin.net (Member Services) Date: Tue, 21 Nov 2006 16:15:21 -0500 Subject: Policy Proposal: Documentation of the Mail-From Authentication Method In-Reply-To: <453F67F8.5050307@arin.net> References: <453F67F8.5050307@arin.net> Message-ID: <45636C69.1020507@arin.net> On 2 November 2006 the ARIN Advisory Council (AC) reviewed Documentation of the Mail-From Authentication Method and did not accept it at this time as a formal policy proposal. The AC will work with the author to revise the text prior to taking further action. The proposal text is below and can be found at: http://www.arin.net/policy/proposals/submission_archive.html The ARIN Internet Resource Policy Evaluation Process can be found at: http://www.arin.net/policy/irpep.html Regards, Member Services American Registry for Internet Numbers (ARIN) Member Services wrote: > ARIN received the following policy proposal. In accordance with the ARIN > Internet Resource Policy Evaluation Process, the proposal is being > posted to the ARIN Public Policy Mailing List (PPML) and being placed on > ARIN's website. > > The ARIN Advisory Council (AC) will review this proposal and may decide to: > > 1. Accept the proposal as a formal policy proposal as it is presented; > 2. Work with the author to: > a) clarify the language or intent of the proposal; > b) divide the proposal into two (2) or more proposals; or > c) combine the proposal with other proposals; or, 3. Not accept the > proposal as a formal policy proposal. > > This proposal was received within 10 days of the next scheduled meeting > of the ARIN Advisory Council; the review period may be extended to the > regularly scheduled meeting that occurs after the upcoming meeting. > > If the AC accepts the proposal or reaches an agreement with the author, > then the proposal will be posted as a formal policy proposal to PPML and > it will be presented at a Public Policy Meeting. If the AC does not > accept the proposal or can not reach an agreement with the author, then > the AC will notify the community of their decision with an explanation; > at that time the author may elect to use the petition process to advance > their proposal. If the author elects not to petition or the petition > fails, then the proposal will be considered closed. > > The ARIN Internet Resource Policy Evaluation Process can be found at: > http://www.arin.net/policy/irpep.html > > Mailing list subscription information can be found at: > http://www.arin.net/mailing_lists/index.html > > Regards, > > Member Services > American Registry for Internet Numbers (ARIN) > > > ## * ## > > > Policy Proposal Name: Documentation of the Mail-From Authentication Method > > Authors: > Paul Vixie > Mark Kosters > Chris Morrow > Jared Mauch > Bill Woodcock > > Proposal Version: 1 > > Submission Date: Tuesday, October 24, 2006 > > Proposal type: New > > Policy term: Permanent > > Policy statement: > > DELETION FROM THE NRPM > > 3.5.1 Mail-From > This section intentionally left blank. > > ADDITION TO THE NRPM > > 3.5.1 Mail-From > Mail-From is the default authentication method by which > registration records are protected from vandalism. If a > registrant fails to designate a more secure method, any > subsequent email which bears the sender address of an > authorized Point of Contact may be deemed authentic with > regard to the registrant's records. Since it is trivial > to forge a sender address, Mail-From should not be > regarded as secure. Use of Mail-From authentication is > not recommended to any registrant who has the means to > implement either of the more secure cryptographic > authentication methods. > Rationale: > > This policy complements the previously-proposed "Reinstatement of > PGP Authentication Method" which introduces section 3.5 to the > NRPM. Section 3.5 relates the existence of three authentication > methods. Two of those, mail-from and X.509, were preexisting but > not documented within the NRPM. > > This policy proposal simply seeks to provide brief documentation > of the existence of the mail-from authentication method. Because > the specific wording of the documentation may be subject to > debate, and is in no way interdependent upon the documentation of > the other two methods, it is being proposed in a separate policy, > so that consensus may be more easily reached. > > Timetable for implementation: Immediate > > _______________________________________________ > PPML mailing list > PPML at arin.net > http://lists.arin.net/mailman/listinfo/ppml > From info at arin.net Tue Nov 21 16:17:06 2006 From: info at arin.net (Member Services) Date: Tue, 21 Nov 2006 16:17:06 -0500 Subject: Policy Proposal: Documentation of the X.509 Authentication Method In-Reply-To: <453F6805.3010100@arin.net> References: <453F6805.3010100@arin.net> Message-ID: <45636CD2.60202@arin.net> On 2 November 2006 the ARIN Advisory Council (AC) reviewed Documentation of the X.509 Authentication Method and did not accept it at this time as a formal policy proposal. The AC will work with the author to revise the text prior to taking further action. The proposal text is below and can be found at: http://www.arin.net/policy/proposals/submission_archive.html The ARIN Internet Resource Policy Evaluation Process can be found at: http://www.arin.net/policy/irpep.html Regards, Member Services American Registry for Internet Numbers (ARIN) Member Services wrote: > ARIN received the following policy proposal. In accordance with the ARIN > Internet Resource Policy Evaluation Process, the proposal is being > posted to the ARIN Public Policy Mailing List (PPML) and being placed on > ARIN's website. > > The ARIN Advisory Council (AC) will review this proposal and may decide to: > > 1. Accept the proposal as a formal policy proposal as it is presented; > 2. Work with the author to: > a) clarify the language or intent of the proposal; > b) divide the proposal into two (2) or more proposals; or > c) combine the proposal with other proposals; or, 3. Not accept the > proposal as a formal policy proposal. > > This proposal was received within 10 days of the next scheduled meeting > of the ARIN Advisory Council; the review period may be extended to the > regularly scheduled meeting that occurs after the upcoming meeting. > > If the AC accepts the proposal or reaches an agreement with the author, > then the proposal will be posted as a formal policy proposal to PPML and > it will be presented at a Public Policy Meeting. If the AC does not > accept the proposal or can not reach an agreement with the author, then > the AC will notify the community of their decision with an explanation; > at that time the author may elect to use the petition process to advance > their proposal. If the author elects not to petition or the petition > fails, then the proposal will be considered closed. > > The ARIN Internet Resource Policy Evaluation Process can be found at: > http://www.arin.net/policy/irpep.html > > Mailing list subscription information can be found at: > http://www.arin.net/mailing_lists/index.html > > Regards, > > Member Services > American Registry for Internet Numbers (ARIN) > > > ## * ## > > > Policy Proposal Name: Documentation of the X.509 Authentication Method > > Authors: > Paul Vixie > Mark Kosters > Chris Morrow > Jared Mauch > Bill Woodcock > > Proposal Version: 1 > > Submission Date: Tuesday, October 24, 2006 > > Proposal type: New > > Policy term: Permanent > > Policy statement: > > DELETION FROM THE NRPM > > 3.5.3 X.509 > This section intentionally left blank. > > ADDITION TO THE NRPM > > 3.5.3 X.509 > ARIN accepts X.509-signed transactions as authentic > communication from authorized Points of Contact. POCs > may denote their records "crypt-auth," subsequent to > which unsigned communications shall not be deemed > authentic with regard to those records. > > Rationale: > > This policy complements the previously-proposed "Reinstatement of > PGP Authentication Method" which introduces section 3.5 to the > NRPM. Section 3.5 relates the existence of three authentication > methods. Two of those, mail-from and X.509, were preexisting but > not documented within the NRPM. > > This policy proposal simply seeks to provide brief documentation > of the existence of the X.509 authentication method. Because the > specific wording of the documentation may be subject to debate, > and is in no way interdependent upon the documentation of the > other two methods, it is being proposed in a separate policy, so > that consensus may be more easily reached. > > Timetable for implementation: Immediate > > _______________________________________________ > PPML mailing list > PPML at arin.net > http://lists.arin.net/mailman/listinfo/ppml > From info at arin.net Wed Nov 22 12:39:59 2006 From: info at arin.net (Member Services) Date: Wed, 22 Nov 2006 12:39:59 -0500 Subject: Policy Implementation Schedule Message-ID: <45648B6F.5000809@arin.net> On 16 November 2006 the ARIN Board of Trustees adopted two policy proposals. The proposals and their expected implementation dates are listed below. * 2006-2: Micro-allocations for Internal Infrastructure - Not later than 20 December 2006. * 2006-3: Capturing Originations in Templates - Not later than 30 March 2007. As final implementation details are determined exact implementation dates of these policies will be published. Policy proposal texts are available at the Policy Proposal Archive which can be found at: http://www.arin.net/policy/proposal_archive.html Regards, Member Services Department American Registry for Internet Numbers