[ppml] Policy Proposal: Reinstatement of PGP Authentication Method
Owen DeLong
owen at delong.com
Tue Oct 24 18:26:55 EDT 2006
I completely support this policy as written. Well done.
Owen
On Oct 24, 2006, at 2:37 PM, Bill Woodcock wrote:
> 1. Policy Proposal Name: Reinstatement of PGP Authentication Method
>
> 2. Authors:
>
> 1. name: Paul Vixie
> 2. email: paul at vix.com
> 3. telephone: +1 650 423 1300
> 4. organization: Internet Systems Consortium
>
> 1. name: Mark Kosters
> 2. email: markk at verisignlabs.com
> 3. telephone: +1 703 948 3200
> 4. organization: Verisign
>
> 1. name: Chris Morrow
> 2. email: christopher.morrow at verizonbusiness.com
> 3. telephone: +1 703 886 3823
> 4. organization: Verizon Business/UUnet
>
> 1. name: Jared Mauch
> 2. email: jmauch at us.ntt.net
> 3. telephone: +1 214 915 1356
> 4. organization: NTT/Verio
>
> 1. name: Bill Woodcock
> 2. email: woody at pch.net
> 3. telephone: +1 415 831 3100
> 4. organization: Packet Clearing House
>
> 3. Proposal Version: 1
>
> 4. Submission Date: Tuesday, October 24, 2006
>
> 5. Proposal type: New
>
> 6. Policy term: Permanent
>
> 7. Policy statement:
>
> ADDITION TO NRPM
>
> 3.5 Authentication Methods
> ARIN supports three authentication methods for
> communication with resource recipients.
>
> 3.5.1 Mail-From
> This section intentionally left blank.
>
> 3.5.2 PGP
> ARIN accepts PGP-signed email as authentic
> communication from authorized Points of Contact.
> POCs
> may denote their records "crypt-auth," subsequent to
> which unsigned communications shall not be deemed
> authentic with regard to those records.
>
> 3.5.3 X.509
> This section intentionally left blank.
>
> UPDATES TO TEMPLATES
>
> ARIN shall include the auth-type field in request templates as
> necessary to distinguish between cryptographic and mail-from
> authentication methods.
>
> UPDATES TO DOCUMENTATION
>
> ARIN shall update documentation as appropriate, to explain the
> differences between mail-from, PGP, and X.509 authentication
> methods.
>
> KEY USE IN COMMUNICATION:
>
> ARIN shall accept PGP-signed communications, validate the
> signature, compare it to the identity of the authorized POCs
> for records referenced in the correspondence, and act
> appropriately based upon the validity or invalidity of the
> signature.
>
> ARIN shall PGP-sign all outgoing hostmaster email with the
> hostmaster role key, and staff members may optionally also
> sign mail which they originate with their own individual keys.
>
> ARIN shall accept PGP-encrypted communications
> which are encrypted using ARIN's hostmaster public key.
>
> ARIN shall not encrypt any outgoing communications, except by
> explicit mutual prior agreement with the recipient.
>
> NON-BINDING RECOMMENDED KEY MANAGEMENT PRACTICES:
>
> It is recommended that ARIN utilize normal POC-verification
> processes as necessary to accommodate users who lose the
> private key or passphrase associated with the POCs for their
> crypt-auth protected resources.
>
> It is recommended that ARIN exercise reasonable caution in
> preventing the proliferation of copies of the hostmaster
> private key and passphrase.
>
> It is recommended that ARIN print out a copy of the private
> key
> and passphrase, and secure them in a safe-deposit box outside
> of ARIN's physical premises, which any two ARIN officers might
> access in the event that the operating copy of the key is lost
> or compromised.
>
> It is recommended that ARIN publish the hostmaster public key
> on the ARIN web site, in a manner similar to that of the other
> RIRs:
> http://lacnic.net/hostmaster-pub-key.txt
> https://www.ripe.net/rs/pgp/ncc-pgpkey-2006.asc
> ftp://ftp.apnic.net/pub/zones/PUBLIC_KEY
>
> It is recommended that ARIN publish the hostmaster public key
> by submitting it to common PGP keyservers which, among others,
> might include:
> pgp.mit.edu
> www.pgp.net
>
> It is recommended that ARIN attempt to cross-sign the
> hostmaster PGP keys of the other four RIRs and ICANN.
>
> It is recommended that ARIN's hostmaster public key be signed
> by members of the ARIN board of trustees.
>
> 8. Rationale:
>
> Globally, PGP is the most commonly used cryptographic
> authentication method between RIRs and resource recipients who
> wish to protect their resource registration records against
> unauthorized modification. The PGP-auth authentication method
> is supported by RIPE, APNIC, LACNIC, and AfriNIC, and it was
> historically supported by the InterNIC prior to ARIN's
> formation. By contrast, current ARIN resource recipients have
> only two options: "mail-from," which is trivially spoofed and
> should not be relied upon to protect important database
> objects, and X.509, which involves a rigorous and lengthy
> proof-of-identity process and compels use of a compatible MUA,
> a combination which has dissuaded virtually all of ARIN's
> constituents.
>
> There isn't a lot of work to do here, and certainly nothing
> tricky. The hostmaster key has existed since InterNIC days,
> and
> ARIN staff have verified that the key and passphrase are still
> known and working fine. This is simple code, which all the
> other RIRs deployed without a second thought or complaint. If
> RIPE and APNIC have always done this, the InterNIC did it
> before ARIN was formed, and LACNIC and AfriNIC took this for
> granted as a part of their startup process, we see no reason
> why ARIN should be the only RIR to not offer this most
> basic of
> protections to its members.
>
> We need to get PGP support reinstated, so that our records can
> be protected against hijacking and vandalism, and so we won't
> look like idiots as the only one of the five regions that
> can't
> figure this stuff out.
>
> 9. Timetable for implementation: Immediate
>
> 10. Meeting presenter: Bill Woodcock
>
> END OF TEMPLATE
>
> _______________________________________________
> PPML mailing list
> PPML at arin.net
> http://lists.arin.net/mailman/listinfo/ppml
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20061024/cf9602bf/attachment.htm>
More information about the ARIN-PPML
mailing list