[ppml] Policy Proposal: Reinstatement of PGP Authentication Method

Bill Woodcock woody at pch.net
Tue Oct 24 17:37:29 EDT 2006


    1. Policy Proposal Name: Reinstatement of PGP Authentication Method

    2. Authors:

          1. name: Paul Vixie
          2. email: paul at vix.com
          3. telephone: +1 650 423 1300
          4. organization: Internet Systems Consortium

          1. name: Mark Kosters
          2. email: markk at verisignlabs.com
          3. telephone: +1 703 948 3200
          4. organization: Verisign

          1. name: Chris Morrow
          2. email: christopher.morrow at verizonbusiness.com
          3. telephone: +1 703 886 3823
          4. organization: Verizon Business/UUnet

          1. name: Jared Mauch
          2. email: jmauch at us.ntt.net
          3. telephone: +1 214 915 1356
          4. organization: NTT/Verio

          1. name: Bill Woodcock
          2. email: woody at pch.net
          3. telephone: +1 415 831 3100
          4. organization: Packet Clearing House

    3. Proposal Version: 1

    4. Submission Date: Tuesday, October 24, 2006

    5. Proposal type: New

    6. Policy term: Permanent

    7. Policy statement:

       ADDITION TO NRPM

         3.5 Authentication Methods
             ARIN supports three authentication methods for
             communication with resource recipients.

             3.5.1 Mail-From
                   This section intentionally left blank.

             3.5.2 PGP
                   ARIN accepts PGP-signed email as authentic
                   communication from authorized Points of Contact. POCs
                   may denote their records "crypt-auth," subsequent to
                   which unsigned communications shall not be deemed
                   authentic with regard to those records.

             3.5.3 X.509
                   This section intentionally left blank.

       UPDATES TO TEMPLATES

         ARIN shall include the auth-type field in request templates as
         necessary to distinguish between cryptographic and mail-from
         authentication methods.

       UPDATES TO DOCUMENTATION

         ARIN shall update documentation as appropriate, to explain the
         differences between mail-from, PGP, and X.509 authentication
         methods.

       KEY USE IN COMMUNICATION:

         ARIN shall accept PGP-signed communications, validate the
         signature, compare it to the identity of the authorized POCs
         for records referenced in the correspondence, and act
         appropriately based upon the validity or invalidity of the
         signature.

         ARIN shall PGP-sign all outgoing hostmaster email with the
         hostmaster role key, and staff members may optionally also
         sign mail which they originate with their own individual keys.

         ARIN shall accept PGP-encrypted communications
         which are encrypted using ARIN's hostmaster public key.

         ARIN shall not encrypt any outgoing communications, except by
         explicit mutual prior agreement with the recipient.

       NON-BINDING RECOMMENDED KEY MANAGEMENT PRACTICES:

         It is recommended that ARIN utilize normal POC-verification
         processes as necessary to accommodate users who lose the
         private key or passphrase associated with the POCs for their
         crypt-auth protected resources.

         It is recommended that ARIN exercise reasonable caution in
         preventing the proliferation of copies of the hostmaster
         private key and passphrase.

         It is recommended that ARIN print out a copy of the private key
         and passphrase, and secure them in a safe-deposit box outside
         of ARIN's physical premises, which any two ARIN officers might
         access in the event that the operating copy of the key is lost
         or compromised.

         It is recommended that ARIN publish the hostmaster public key
         on the ARIN web site, in a manner similar to that of the other
         RIRs:
           http://lacnic.net/hostmaster-pub-key.txt
           https://www.ripe.net/rs/pgp/ncc-pgpkey-2006.asc
           ftp://ftp.apnic.net/pub/zones/PUBLIC_KEY

         It is recommended that ARIN publish the hostmaster public key
         by submitting it to common PGP keyservers which, among others,
         might include:
           pgp.mit.edu
           www.pgp.net

         It is recommended that ARIN attempt to cross-sign the
         hostmaster PGP keys of the other four RIRs and ICANN.

         It is recommended that ARIN's hostmaster public key be signed
         by members of the ARIN board of trustees.

    8. Rationale:

         Globally, PGP is the most commonly used cryptographic
         authentication method between RIRs and resource recipients who
         wish to protect their resource registration records against
         unauthorized modification. The PGP-auth authentication method
         is supported by RIPE, APNIC, LACNIC, and AfriNIC, and it was
         historically supported by the InterNIC prior to ARIN's
         formation. By contrast, current ARIN resource recipients have
         only two options: "mail-from," which is trivially spoofed and
         should not be relied upon to protect important database
         objects, and X.509, which involves a rigorous and lengthy
         proof-of-identity process and compels use of a compatible MUA,
         a combination which has dissuaded virtually all of ARIN's
         constituents.

         There isn't a lot of work to do here, and certainly nothing
         tricky. The hostmaster key has existed since InterNIC days, and
         ARIN staff have verified that the key and passphrase are still
         known and working fine. This is simple code, which all the
         other RIRs deployed without a second thought or complaint. If
         RIPE and APNIC have always done this, the InterNIC did it
         before ARIN was formed, and LACNIC and AfriNIC took this for
         granted as a part of their startup process, we see no reason
         why ARIN should be the only RIR to not offer this most basic of
         protections to its members.

         We need to get PGP support reinstated, so that our records can
         be protected against hijacking and vandalism, and so we won't
         look like idiots as the only one of the five regions that can't
         figure this stuff out.

    9. Timetable for implementation: Immediate

   10. Meeting presenter: Bill Woodcock

END OF TEMPLATE

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20061024/d9a652e4/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20061024/d9a652e4/attachment.sig>


More information about the ARIN-PPML mailing list