[ppml] mail auth proposals, was Re: the "other"...
Ed.Lewis at neustar.biz
Mon Apr 9 09:40:45 EDT 2007
At 9:01 -0400 4/9/07, Leo Bicknell wrote:
>We need to REMOVE Mail-From entirely.
I like such brash thinking but it seems to take a lot to "raise the bar."
To help justify this, I am surprised ARIN records are treated
seriously in a legal environment knowing how easy it is to falsify
them. Having gained a legal education via watching prime-time TV
police dramas, isn't there something about the chain of custody of
I do have one question about the suggestion - what about the "legacy"
or pre-ARIN space in the database? I don't know if we can arrange a
trust relationship with anyone that has never agreed to ARIN's
management of the, umm, registrations.
>I see no reason why ARIN can't cost effectively support X.509
>Certificates, PGP Authentication, and high grade SSL web based
>authentication. (And that web authentication could be both X.509 based,
>as well as password, token, or other methods.)
Having once considered how I would go about arranging for secured
email via X.509 or PGP, I settled first on X.509 as it was easier to
document a policy for that. The relationship is "clearer" in that
one side asserts that there is a binding between some cryptographic
data and an identified object. In PGP, with the idea of transitive
trust via trusted introducers the picture became a little fuzzy.
Both are doable, but one is easier to manage if you are the side
doing the asserting (and are also relying on the assertions). What I
am saying is that I prefer X.509 but I wouldn't object to ARIN
supporting both X.509 and PGP.
Edward Lewis +1-571-434-5468
Sarcasm doesn't scale.
More information about the ARIN-PPML