[ppml] 2007-1, was Re: mail auth proposals
william at elan.net
Thu Apr 12 03:58:50 EDT 2007
On Tue, 10 Apr 2007, Bill Woodcock wrote:
> On Tue, 10 Apr 2007, william(at)elan.net wrote:
> > I think ARIN should accept maximum 2-step PGP chain...
> I think I can guess that the authors would all be fine with that. I
> certainly would be. I don't think anyone's attached to the number five,
> and I think most of us aren't positive we need to specify a number in the
Perhaps the issue is that its unclear what the goals are for deploying
this email authentication. There can actually be two gaols:
1. To verify that email address sent to ARIN really came from listed
2. To verify that the person sending the email and using email address
is really who he says he is
Two other email authentication methods being proposed focus only on #1
and in fact there is no way to do #2 with them at all. PGP does allow
#2 which happens during direct key signing (i.e. somebody from ARIN
verifies identity of the person with such and such PGP key) and less
directly through PGP chain of trust.
However if you really do not have #2 as requirement, then chain of trust
is of limited interest. What you really want is to make sure that ARIN
knows that this public key really does correspond to this email address
and to nobody else. This can be done by just looking up fingerprint on
the key server or ARIN could do direct verification upon request and
send some "check" message to listed email address who would then have
to respond to ARIN and include relevant part of check message (some
verification id) in email signed by his/her PGP key; that is not the
only way to do it; it could also be done for example by including URL
in verification email message where the person who received it would
click and there paste his/her fingerprint; many other similar ways
exist so perhaps details are better left to ARIN staff.
> Well, the idea was that ARIN hostmasters would do key-signings at ARIN
> meetings, and participate in key-signings at other meetings, but we felt
> that it was too prescriptive to get into that level of detail in the
> We don't feel that ARIN should apply something other than the
> normally-accepted PGP authentication process (check government-issued
> photo ID in the physical presence of the other person, and hear their key
> fingerprint from them directly). There's a right way to do it, and ARIN
> shouldn't break an established practice.
So you're in fact thinking about #2 and identity verification as main
purpose behind it?
> > Last part is completely unnecessary, staff members should feel free to
> > use PGP no matter if policy states it or not.
> That would be nice, but unfortunately we didn't agree that it was
> unnecessary to say it. :-/
I don't understand your reasons. ARIN staff should be free to use any
email authentication method relevant to their job duties and they dont
need our permission. And I don't think policy should be used to educate
them especially when its basically MAY anyway.
william at elan.net
More information about the ARIN-PPML