[ppml] 2007-1, was Re: mail auth proposals

michael.dillon at bt.com michael.dillon at bt.com
Tue Apr 10 19:19:32 EDT 2007


> I believe that is too long and opens for security holes when ARIN does
> not know for sure if it can trust persons in between. I think 
> ARIN should
> accept maximum 2-step PGP chain but have special system where 
> ARIN will
> sign key for any contact it previously authenticated by either PGP or 
> S/MIME (maybe use different key for that if person is not 
> authenticated
> in person).

I don't think it's too long and I don't think it's too short. I don't
think that 5 steps is right either and I don't think that details like
this belong in policy.

I do think that ARIN should consult a recognized security expert for
advice on this. Someone with the stature of Steve Bellovin or Bruce
Schneier for instance or someone who has credentials from IETF
security-related working groups.

99% or more of the people on this list, including me, are not qualified
to give expert opinions on this even if we have implemented security
systems in the past.

--Michael Dillon



More information about the ARIN-PPML mailing list