[ppml] Policy Proposal 2007-3 - Staff Assessment

Policy Proposal 2007-3
Documentation of the X.509 Authentication Method

ARIN Staff Assessment

The assessment of this proposal includes comments from ARIN staff and
the ARIN General Counsel. It contains analysis of procedural, legal, and
resource concerns regarding the implementation of this policy proposal
as it is currently stated. Any changes to the language of the proposal
may necessitate further analysis by staff and Counsel.

I.	Proposal

   Policy Proposal 2007-3 is available as Annex A below and at:
   http://www.arin.net/policy/proposals/2007_3.html

II.	Understanding of the proposal

   ARIN staff understands that this proposal would support X.509
authentication; it relies on the adoption of Policy Proposal 2007-1:
Reinstatement of PGP Authentication Method.

III.	Issues and concerns

   A.	ARIN Staff

     1.	Proposals use the term "crypt-auth", term needs to be defined.
Also, would need specific notation, such as crypt-pgp and crypt-x509.

     2.	"Accepts X.509 signed transactions as authentic communications
from authorized POCs" - this needs clarification. What certification
sources should be considered when accepting X.509 certificates?

     3.	NRPM section 12.3 contains procedural language which constrains
ARIN's ability to act in the best interest of all parties.  It is too
restrictive and detailed.

     4.	At this time, ARIN’s functionality covers only e-mail based
communication. The policy uses the general term, “communication”, which
may be interpreted to cover other forms of electronic interaction such
as web-based communication. The only other “communication” that is
directly tied into a specific POC is voting. Should the Election System
need to be modified to allow x.509 authentication, assuming we could use
parts of the existing system, a ballpark estimate on implementation
would be 3-4 months.

     5.	We recommend that a new NRPM section be created, “12.
Communications” and that 12.1 be “Authentication”. The subsequent
numbering would change appropriately.

   B.	ARIN General Counsel

     The policy as proposed poses no significant legal risks for ARIN.

IV.	Resource Impact - Minimum

The resource impact of implementing this policy is viewed as minimum.
Barring any unforeseen resource requirements, this policy could be
implemented within 120 days from the date of the ratification of the
policy by the ARIN Board of Trustees. However, implementation will
depend on the outcome of Policy Proposal 2007-1: Reinstatement of PGP
Authentication Method. Implementation would not require the acquisition
of staff personnel or equipment. It will require the following:

- Revisions to registration guidelines
- Staff Training

Respectfully submitted,

Member Services
American Registry for Internet Numbers (ARIN)


##*##


Annex A

Policy Proposal 2007-3
Documentation of the X.509 Authentication Method

Policy statement

Proposal type: New

Policy term: Permanent

Policy statement:

DELETION FROM THE NRPM

12.3 X.509

This section intentionally left blank.

ADDITION TO THE NRPM

12.3 X.509

ARIN accepts X.509-signed transactions as authentic communication from
authorized Points of Contact. POCs may denote their records
"crypt-auth," subsequent to which unsigned communications shall not be
deemed authentic with regard to those records.

Rationale:

This policy complements the previously-proposed "Reinstatement of PGP
Authentication Method" which introduces section 12 to the NRPM. Section
12 relates the existence of three authentication methods. Two of those,
mail-from and X.509, were preexisting but not documented within the NRPM.

This policy proposal simply seeks to provide brief documentation of the
existence of the X.509 authentication method. Because the specific
wording of the documentation may be subject to debate, and is in no way
interdependent upon the documentation of the other two methods, it is
being proposed in a separate policy, so that consensus may be more
easily reached.

Timetable for implementation: Immediate