[ppml] Policy Proposal: Reinstatement of PGP Authentication Method

Member Services info at arin.net
Tue Nov 21 16:14:32 EST 2006


On 2 November 2006 the ARIN Advisory Council (AC) reviewed Reinstatement 
of PGP Authentication Method and did not accept it at this time as a 
formal policy proposal. The AC will work with the author to revise the 
text prior to taking further action.

The proposal text is below and can be found at:
http://www.arin.net/policy/proposals/submission_archive.html

The ARIN Internet Resource Policy Evaluation Process can be found at:
http://www.arin.net/policy/irpep.html

Regards,

Member Services
American Registry for Internet Numbers (ARIN)


Member Services wrote:
> ARIN received the following policy proposal. In accordance with the ARIN
> Internet Resource Policy Evaluation Process, the proposal is being
> posted to the ARIN Public Policy Mailing List (PPML) and being placed on
> ARIN's website.
> 
> The ARIN Advisory Council (AC) will review this proposal and may decide to:
> 
> 1. Accept the proposal as a formal policy proposal as it is presented;
> 2. Work with the author to:
>      a) clarify the language or intent of the proposal;
>      b) divide the proposal into two (2) or more proposals; or
>      c) combine the proposal with other proposals; or, 3. Not accept the
> proposal as a formal policy proposal.
> 
> This proposal was received within 10 days of the next scheduled meeting
> of the ARIN Advisory Council; the review period may be extended to the
> regularly scheduled meeting that occurs after the upcoming meeting.
> 
> If the AC accepts the proposal or reaches an agreement with the author,
> then the proposal will be posted as a formal policy proposal to PPML and
> it will be presented at a Public Policy Meeting. If the AC does not
> accept the proposal or can not reach an agreement with the author, then
> the AC will notify the community of their decision with an explanation;
> at that time the author may elect to use the petition process to advance
> their proposal. If the author elects not to petition or the petition
> fails, then the proposal will be considered closed.
> 
> The ARIN Internet Resource Policy Evaluation Process can be found at:
> http://www.arin.net/policy/irpep.html
> 
> Mailing list subscription information can be found at:
> http://www.arin.net/mailing_lists/index.html
> 
> Regards,
> 
> Member Services
> American Registry for Internet Numbers (ARIN)
> 
> 
> ## * ##
> 
> 
> Policy Proposal Name: Reinstatement of PGP Authentication Method
> 
> Authors:
> Paul Vixie
> Mark Kosters
> Chris Morrow
> Jared Mauch
> Bill Woodcock
> 
> Submission Date: Tuesday, October 24, 2006
> 
> Proposal type: New
> 
> Policy term: Permanent
> 
> Policy statement:
> 
>        ADDITION TO NRPM
> 
>          3.5 Authentication Methods
>              ARIN supports three authentication methods for
>              communication with resource recipients.
> 
>              3.5.1 Mail-From
>                    This section intentionally left blank.
> 
>              3.5.2 PGP
>                    ARIN accepts PGP-signed email as authentic
>                    communication from authorized Points of Contact. POCs
>                    may denote their records "crypt-auth," subsequent to
>                    which unsigned communications shall not be deemed
>                    authentic with regard to those records.
> 
>              3.5.3 X.509
>                    This section intentionally left blank.
> 
>        UPDATES TO TEMPLATES
> 
>          ARIN shall include the auth-type field in request templates as
>          necessary to distinguish between cryptographic and mail-from
>          authentication methods.
> 
>        UPDATES TO DOCUMENTATION
> 
>          ARIN shall update documentation as appropriate, to explain the
>          differences between mail-from, PGP, and X.509 authentication
>          methods.
> 
>        KEY USE IN COMMUNICATION:
> 
>          ARIN shall accept PGP-signed communications, validate the
>          signature, compare it to the identity of the authorized POCs
>          for records referenced in the correspondence, and act
>          appropriately based upon the validity or invalidity of the
>          signature.
> 
>          ARIN shall PGP-sign all outgoing hostmaster email with the
>          hostmaster role key, and staff members may optionally also
>          sign mail which they originate with their own individual keys.
> 
>          ARIN shall accept PGP-encrypted communications
>          which are encrypted using ARIN's hostmaster public key.
> 
>          ARIN shall not encrypt any outgoing communications, except by
>          explicit mutual prior agreement with the recipient.
> 
>        NON-BINDING RECOMMENDED KEY MANAGEMENT PRACTICES:
> 
>          It is recommended that ARIN utilize normal POC-verification
>          processes as necessary to accommodate users who lose the
>          private key or passphrase associated with the POCs for their
>          crypt-auth protected resources.
> 
>          It is recommended that ARIN exercise reasonable caution in
>          preventing the proliferation of copies of the hostmaster
>          private key and passphrase.
> 
>          It is recommended that ARIN print out a copy of the private key
>          and passphrase, and secure them in a safe-deposit box outside
>          of ARIN's physical premises, which any two ARIN officers might
>          access in the event that the operating copy of the key is lost
>          or compromised.
> 
>          It is recommended that ARIN publish the hostmaster public key
>          on the ARIN web site, in a manner similar to that of the other
>          RIRs:
>            http://lacnic.net/hostmaster-pub-key.txt
>            https://www.ripe.net/rs/pgp/ncc-pgpkey-2006.asc
>            ftp://ftp.apnic.net/pub/zones/PUBLIC_KEY
> 
>          It is recommended that ARIN publish the hostmaster public key
>          by submitting it to common PGP keyservers which, among others,
>          might include:
>            pgp.mit.edu
>            www.pgp.net
> 
>          It is recommended that ARIN attempt to cross-sign the
>          hostmaster PGP keys of the other four RIRs and ICANN.
> 
>          It is recommended that ARIN's hostmaster public key be signed
>          by members of the ARIN board of trustees.
> 
> Rationale:
> 
>          Globally, PGP is the most commonly used cryptographic
>          authentication method between RIRs and resource recipients who
>          wish to protect their resource registration records against
>          unauthorized modification. The PGP-auth authentication method
>          is supported by RIPE, APNIC, LACNIC, and AfriNIC, and it was
>          historically supported by the InterNIC prior to ARIN's
>          formation. By contrast, current ARIN resource recipients have
>          only two options: "mail-from," which is trivially spoofed and
>          should not be relied upon to protect important database
>          objects, and X.509, which involves a rigorous and lengthy
>          proof-of-identity process and compels use of a compatible MUA,
>          a combination which has dissuaded virtually all of ARIN's
>          constituents.
> 
>          There isn't a lot of work to do here, and certainly nothing
>          tricky. The hostmaster key has existed since InterNIC days, and
>          ARIN staff have verified that the key and passphrase are still
>          known and working fine. This is simple code, which all the
>          other RIRs deployed without a second thought or complaint. If
>          RIPE and APNIC have always done this, the InterNIC did it
>          before ARIN was formed, and LACNIC and AfriNIC took this for
>          granted as a part of their startup process, we see no reason
>          why ARIN should be the only RIR to not offer this most basic of
>          protections to its members.
> 
>          We need to get PGP support reinstated, so that our records can
>          be protected against hijacking and vandalism, and so we won't
>          look like idiots as the only one of the five regions that can't
>          figure this stuff out.
> 
> Timetable for implementation: Immediate
> 
> 
> _______________________________________________
> PPML mailing list
> PPML at arin.net
> http://lists.arin.net/mailman/listinfo/ppml
> 




More information about the ARIN-PPML mailing list