[ppml] Policy Proposal: Reinstatement of PGP Authentication Method
Member Services
info at arin.net
Tue Nov 21 16:14:32 EST 2006
On 2 November 2006 the ARIN Advisory Council (AC) reviewed Reinstatement
of PGP Authentication Method and did not accept it at this time as a
formal policy proposal. The AC will work with the author to revise the
text prior to taking further action.
The proposal text is below and can be found at:
http://www.arin.net/policy/proposals/submission_archive.html
The ARIN Internet Resource Policy Evaluation Process can be found at:
http://www.arin.net/policy/irpep.html
Regards,
Member Services
American Registry for Internet Numbers (ARIN)
Member Services wrote:
> ARIN received the following policy proposal. In accordance with the ARIN
> Internet Resource Policy Evaluation Process, the proposal is being
> posted to the ARIN Public Policy Mailing List (PPML) and being placed on
> ARIN's website.
>
> The ARIN Advisory Council (AC) will review this proposal and may decide to:
>
> 1. Accept the proposal as a formal policy proposal as it is presented;
> 2. Work with the author to:
> a) clarify the language or intent of the proposal;
> b) divide the proposal into two (2) or more proposals; or
> c) combine the proposal with other proposals; or, 3. Not accept the
> proposal as a formal policy proposal.
>
> This proposal was received within 10 days of the next scheduled meeting
> of the ARIN Advisory Council; the review period may be extended to the
> regularly scheduled meeting that occurs after the upcoming meeting.
>
> If the AC accepts the proposal or reaches an agreement with the author,
> then the proposal will be posted as a formal policy proposal to PPML and
> it will be presented at a Public Policy Meeting. If the AC does not
> accept the proposal or can not reach an agreement with the author, then
> the AC will notify the community of their decision with an explanation;
> at that time the author may elect to use the petition process to advance
> their proposal. If the author elects not to petition or the petition
> fails, then the proposal will be considered closed.
>
> The ARIN Internet Resource Policy Evaluation Process can be found at:
> http://www.arin.net/policy/irpep.html
>
> Mailing list subscription information can be found at:
> http://www.arin.net/mailing_lists/index.html
>
> Regards,
>
> Member Services
> American Registry for Internet Numbers (ARIN)
>
>
> ## * ##
>
>
> Policy Proposal Name: Reinstatement of PGP Authentication Method
>
> Authors:
> Paul Vixie
> Mark Kosters
> Chris Morrow
> Jared Mauch
> Bill Woodcock
>
> Submission Date: Tuesday, October 24, 2006
>
> Proposal type: New
>
> Policy term: Permanent
>
> Policy statement:
>
> ADDITION TO NRPM
>
> 3.5 Authentication Methods
> ARIN supports three authentication methods for
> communication with resource recipients.
>
> 3.5.1 Mail-From
> This section intentionally left blank.
>
> 3.5.2 PGP
> ARIN accepts PGP-signed email as authentic
> communication from authorized Points of Contact. POCs
> may denote their records "crypt-auth," subsequent to
> which unsigned communications shall not be deemed
> authentic with regard to those records.
>
> 3.5.3 X.509
> This section intentionally left blank.
>
> UPDATES TO TEMPLATES
>
> ARIN shall include the auth-type field in request templates as
> necessary to distinguish between cryptographic and mail-from
> authentication methods.
>
> UPDATES TO DOCUMENTATION
>
> ARIN shall update documentation as appropriate, to explain the
> differences between mail-from, PGP, and X.509 authentication
> methods.
>
> KEY USE IN COMMUNICATION:
>
> ARIN shall accept PGP-signed communications, validate the
> signature, compare it to the identity of the authorized POCs
> for records referenced in the correspondence, and act
> appropriately based upon the validity or invalidity of the
> signature.
>
> ARIN shall PGP-sign all outgoing hostmaster email with the
> hostmaster role key, and staff members may optionally also
> sign mail which they originate with their own individual keys.
>
> ARIN shall accept PGP-encrypted communications
> which are encrypted using ARIN's hostmaster public key.
>
> ARIN shall not encrypt any outgoing communications, except by
> explicit mutual prior agreement with the recipient.
>
> NON-BINDING RECOMMENDED KEY MANAGEMENT PRACTICES:
>
> It is recommended that ARIN utilize normal POC-verification
> processes as necessary to accommodate users who lose the
> private key or passphrase associated with the POCs for their
> crypt-auth protected resources.
>
> It is recommended that ARIN exercise reasonable caution in
> preventing the proliferation of copies of the hostmaster
> private key and passphrase.
>
> It is recommended that ARIN print out a copy of the private key
> and passphrase, and secure them in a safe-deposit box outside
> of ARIN's physical premises, which any two ARIN officers might
> access in the event that the operating copy of the key is lost
> or compromised.
>
> It is recommended that ARIN publish the hostmaster public key
> on the ARIN web site, in a manner similar to that of the other
> RIRs:
> http://lacnic.net/hostmaster-pub-key.txt
> https://www.ripe.net/rs/pgp/ncc-pgpkey-2006.asc
> ftp://ftp.apnic.net/pub/zones/PUBLIC_KEY
>
> It is recommended that ARIN publish the hostmaster public key
> by submitting it to common PGP keyservers which, among others,
> might include:
> pgp.mit.edu
> www.pgp.net
>
> It is recommended that ARIN attempt to cross-sign the
> hostmaster PGP keys of the other four RIRs and ICANN.
>
> It is recommended that ARIN's hostmaster public key be signed
> by members of the ARIN board of trustees.
>
> Rationale:
>
> Globally, PGP is the most commonly used cryptographic
> authentication method between RIRs and resource recipients who
> wish to protect their resource registration records against
> unauthorized modification. The PGP-auth authentication method
> is supported by RIPE, APNIC, LACNIC, and AfriNIC, and it was
> historically supported by the InterNIC prior to ARIN's
> formation. By contrast, current ARIN resource recipients have
> only two options: "mail-from," which is trivially spoofed and
> should not be relied upon to protect important database
> objects, and X.509, which involves a rigorous and lengthy
> proof-of-identity process and compels use of a compatible MUA,
> a combination which has dissuaded virtually all of ARIN's
> constituents.
>
> There isn't a lot of work to do here, and certainly nothing
> tricky. The hostmaster key has existed since InterNIC days, and
> ARIN staff have verified that the key and passphrase are still
> known and working fine. This is simple code, which all the
> other RIRs deployed without a second thought or complaint. If
> RIPE and APNIC have always done this, the InterNIC did it
> before ARIN was formed, and LACNIC and AfriNIC took this for
> granted as a part of their startup process, we see no reason
> why ARIN should be the only RIR to not offer this most basic of
> protections to its members.
>
> We need to get PGP support reinstated, so that our records can
> be protected against hijacking and vandalism, and so we won't
> look like idiots as the only one of the five regions that can't
> figure this stuff out.
>
> Timetable for implementation: Immediate
>
>
> _______________________________________________
> PPML mailing list
> PPML at arin.net
> http://lists.arin.net/mailman/listinfo/ppml
>
More information about the ARIN-PPML
mailing list