[ppml] The authentication proposals, 1, 2, 3

michael.dillon at bt.com michael.dillon at bt.com
Mon Apr 9 16:39:25 EDT 2007

There are three policy proposals which talk about authentication
techniques for communications between ARIN and members/applicants, etc.
These are the three.


I'm of two minds about these. First of all, I'd rather that these
proposals were not there. I'd rather that the policy not mention these
things at all. And I would rather that such matters be dealt with in the
ARIN Suggestion Box, not through PPML. 

If anything, I think policy needs to go no further than to state that
ARIN will support commonly used authentication/encryption protocols to
secure the communications between ARIN and various parties such as
applicants, SWIPpers, db updaters, members. The preceding sentence isn't
the right language, but that is the gist of what I think needs to be in
policy. The rest of the details are operational technical matters and
should, in my opinion, definitely not be in the policy. Having them in
the policy blindsides ARIN and ARIN technical staff into thinking that
they are doing a good job when they are not. The same goes for the board
of trustees. I think that especially, the Board of Trustees, namely
Scott Bradner, John Curran, Lee Howard, Bill Manning, Ray Plzak, Paul
Vixie and Bill Woodcock, should be ashamed of the incompetence they have
displayed in allowing things to go on as they have for so long.

In my opinion, a competent BoT would have reinstated PGP, documented all
the various supported technologies and added a non-email RPC submission
protocol over secure HTTP. This last is what people commonly call REST
used via an https: URL. For background on REST have a look at
http://www.prescod.net/rest/security.html and for an example of how such
things can be implemented by a flexible app which supports many
protocols, look at

Of course, Paul Vixie and Bill Woodcock are actually trying to sort out
this mess, so perhaps they don't need to feel as ashamed as the rest of
the BoT.

This brings us to my second thoughts on these three proposals. I realize
that the AC has some flexibility on rewording proposals before they
actually go to the BoT, but I'm not sure what the limits of that are. So
I would not want to, in any way delay the reinstatement of PGP. 2007-1
is a good thing. I am FOR this policy. 

As for the other two which merely document something that exists, I
don't much care one way or the other. I'd rather not see such
documentation in the policy itself, but I certainly DO WANT TO SEE some
documentation of these things on the ARIN web site. And with more
detail, including graphics, than are possible in a policy document.

It is possible that the BoT collectively, does not have enough security
expertise to determine what is the meaning of "support commonly used
authentication/encryption protocols". In that case, I suggest that they
consult someone with recognized security expertise who could spend a
half hour to dash off a 2 page summary of what that implies. That 2 page
summary could then become a roadmap for the ARIN technical staff to work
against. I suggest that someone like Steve Bellovin would be an
appropriate author for such guidance. I'm not going to put this
suggestion into the ARIN suggestion box http://app.arin.net/suggestion/
because the whole matter is already being discussed in the public policy
forum and I don't think the BoT can fail to miss it. Also, if you click
that suggestion URL, you will notice that you are redirected to an
https: URL. Probably the ARIN technical staff already knows how to
provide more secure communications channels but the bad policy is
hampering them from acting.

Michael Dillon
Capacity Management, 66 Prescot St., London, E1 8HG, UK
Mobile: +44 7900 823 672    Internet: michael.dillon at bt.com
Phone: +44 20 7650 9493    Fax: +44 20 7650 9030

One Community   One Connection   One Focus 

More information about the ARIN-PPML mailing list