[ppml] mail auth proposals, was Re: the "other"...

[Edward Lewis]

At 9:01 -0400 4/9/07, Leo Bicknell wrote:

>We need to REMOVE Mail-From entirely.

I like such brash thinking but it seems to take a lot to "raise the bar."

To help justify this, I am surprised ARIN records are treated 
seriously in a legal environment knowing how easy it is to falsify 
them.  Having gained a legal education via watching prime-time TV 
police dramas, isn't there something about the chain of custody of 
evidence?

I do have one question about the suggestion - what about the "legacy" 
or pre-ARIN space in the database?  I don't know if we can arrange a 
trust relationship with anyone that has never agreed to ARIN's 
management of the, umm, registrations.

>I see no reason why ARIN can't cost effectively support X.509
>Certificates, PGP Authentication, and high grade SSL web based
>authentication.  (And that web authentication could be both X.509 based,
>as well as password, token, or other methods.)

Having once considered how I would go about arranging for secured 
email via X.509 or PGP, I settled first on X.509 as it was easier to 
document a policy for that.  The relationship is "clearer" in that 
one side asserts that there is a binding between some cryptographic 
data and an identified object.  In PGP, with the idea of transitive 
trust via trusted introducers the picture became a little fuzzy. 
Both are doable, but one is easier to manage if you are the side 
doing the asserting (and are also relying on the assertions).  What I 
am saying is that I prefer X.509 but I wouldn't object to ARIN 
supporting both X.509 and PGP.

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

Sarcasm doesn't scale.