[ppml] 2007-1, was Re: mail auth proposals
william at elan.net
Tue Apr 10 16:55:46 EDT 2007
On Tue, 10 Apr 2007, Edward Lewis wrote:
> At 6:40 -1000 4/10/07, Randy Bush wrote:
>>> ARIN shall accept PGP-signed communications, validate that a
>>> chain of trust not longer than five steps exists between the
>>> signing key and the ARIN host master role key...
>> this is not wise. with pgp, i would not trust anything more than
>> one hop from the key on file with the contract. pgp is not x.509.
> I want to add a "I noticed this too and disagree" with the quip
> highlighted by Randy. It was in the back of my mind when
> "questioning" PGP but I didn't think to include it explicitly.
> Meaning - X.509 is clear; ARIN can fix/cement the certs so that it is
> both the issuer and the relying party hence put "trust" into the
> binding of the key to the POC and the message (via signature) to the
> POC. With PGP you have to either be willing to trust "introducers"
> or else restrict our trust to only those with whom you directly
> signed their keys.
> X.509 and PGP both can bind a key to an entity but they trust
> architecture is different. X.509 is hierarchical, PGP is not.
> Neither is better than the other, neither is worse than the other,
> but they are different. I am for ARIN making PGP available only if
> it is implemented in a way that ARIN has "control" of the trust
> arrangement as far as they "control" anything else. (By that I mean,
> via example - ARIN can delegate DNS to someone and has a policy for
> lame delegations. If that someone then delegates elsewhere, it is
> beyond ARIN's control and the lame delegation policy doesn't cover
I don't quite understand how you connected PGP authorizatoin policy with
As far as PGP I have a comment. Current policy text states that:
"ARIN shall accept PGP-signed communications, validate that a chain of
trust not longer than five steps exists between the signing key and the
ARIN hostmaster role key"
I believe that is too long and opens for security holes when ARIN does
not know for sure if it can trust persons in between. I think ARIN should
accept maximum 2-step PGP chain but have special system where ARIN will
sign key for any contact it previously authenticated by either PGP or
S/MIME (maybe use different key for that if person is not authenticated
Also text says "ARIN shall PGP-sign all outgoing hostmaster email with the
hostmaster role key, and staff members may optionally also sign mail with
their own individual keys."
Last part is completely unnecessary, staff members should feel free to
use PGP no matter if policy states it or not.
william at elan.net
More information about the ARIN-PPML