[ppml] 2007-1, was Re: mail auth proposals

william(at)elan.net william at elan.net
Thu Apr 12 03:58:50 EDT 2007 

On Tue, 10 Apr 2007, Bill Woodcock wrote:

>      On Tue, 10 Apr 2007, william(at)elan.net wrote:
>    > I think ARIN should accept maximum 2-step PGP chain...
>
> I think I can guess that the authors would all be fine with that.  I
> certainly would be.  I don't think anyone's attached to the number five,
> and I think most of us aren't positive we need to specify a number in the
> policy.

Perhaps the issue is that its unclear what the goals are for deploying
this email authentication. There can actually be two gaols:
  1. To verify that email address sent to ARIN really came from listed
     email address
  2. To verify that the person sending the email and using email address
     is really who he says he is

Two other email authentication methods being proposed focus only on #1
and in fact there is no way to do #2 with them at all. PGP does allow
#2 which happens during direct key signing (i.e. somebody from ARIN 
verifies identity of the person with such and such PGP key) and less 
directly through PGP chain of trust.

However if you really do not have #2 as requirement, then chain of trust 
is of limited interest. What you really want is to make sure that ARIN 
knows that this public key really does correspond to this email address 
and to nobody else. This can be done by just looking up fingerprint on
the key server or ARIN could do direct verification upon request and
send some "check" message to listed email address who would then have
to respond to ARIN and include relevant part of check message (some 
verification id) in email signed by his/her PGP key; that is not the
only way to do it; it could also be done for example by including URL
in verification email message where the person who received it would
click and there paste his/her fingerprint; many other similar ways
exist so perhaps details are better left to ARIN staff.

> Well, the idea was that ARIN hostmasters would do key-signings at ARIN
> meetings, and participate in key-signings at other meetings, but we felt
> that it was too prescriptive to get into that level of detail in the
> policy.
>
> We don't feel that ARIN should apply something other than the
> normally-accepted PGP authentication process (check government-issued
> photo ID in the physical presence of the other person, and hear their key
> fingerprint from them directly).  There's a right way to do it, and ARIN
> shouldn't break an established practice.

So you're in fact thinking about #2 and identity verification as main
purpose behind it?

>    > Last part is completely unnecessary, staff members should feel free to
>    > use PGP no matter if policy states it or not.
>
> That would be nice, but unfortunately we didn't agree that it was
> unnecessary to say it.  :-/

I don't understand your reasons. ARIN staff should be free to use any
email authentication method relevant to their job duties and they dont
need our permission. And I don't  think policy should be used to educate 
them especially when its basically MAY anyway.

-- 
William Leibzon
Elan Networks
william at elan.net

More information about the ARIN-PPML mailing list