[ppml] the "other" policy proposals
bicknell at ufp.org
Mon Apr 9 09:01:55 EDT 2007
I'm going to try and stay strict to Marty's technical issues.
1) "Certificates are more commercial." While it's true more
businesses use certificates and that more business software is
likely to support X.509 that doesn't expose the real mechanics
of the situation. A vast majority of businesses create their
own CA which they trust internally (generally by pre-loading on
PC's). These internal CA's generally aren't seen outside the
company at all, and if they are there's no good mechanism to
trust them as valid.
Specifically before someone asks, it's likely that a company
will purchase a commercial certificate for www.company.com, while
using a internally run and operated CA internally with a wholly
separate certificate. I believe this is driven by a combination
of cost and administration difficulty.
2) "PGP is hard / costly to implement." PGP is available completely
for free even for commercial use, one instance is at
http://www.gnupg.org/. While I would agree there is less corporate
support for PGP, there is a significantly higher use of PGP by
Network Technologists due to a long history of being used for
Domain, Numbering Resources and other Internet purposes. I also
personally believe this will be the method of choice for automated
tools since the command line clients for PGP are generally easier
to incorporate into such home-grown solutions.
I don't believe ARIN can implement this feature for free, however
I do believe that it should be relatively inexpensive and easy
for ARIN to implement.
Now, to the real point:
ARIN resources are not properly secured from unauthorized changes.
We need to REMOVE Mail-From entirely. It is not secure. I suspect
there is already some abuse going on, and as we move to IPv4 exhaustion
it will only get worse. The sooner we start the better.
I see no reason why ARIN can't cost effectively support X.509
Certificates, PGP Authentication, and high grade SSL web based
authentication. (And that web authentication could be both X.509 based,
as well as password, token, or other methods.)
I fully support this proposal as an excellent first step.
Leo Bicknell - bicknell at ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
Read TMBG List - tmbg-list-request at tmbg.org, www.tmbg.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 187 bytes
Desc: not available
More information about the ARIN-PPML