[ppml] 2007-1, was Re: mail auth proposals

[Bill Woodcock]

      On Thu, 12 Apr 2007, william(at)elan.net wrote:
    > > We don't feel that ARIN should apply something other than the
    > > normally-accepted PGP authentication process (check government-issued
    > > photo ID in the physical presence of the other person, and hear their
    > > key
    > > fingerprint from them directly).  There's a right way to do it, and ARIN
    > > shouldn't break an established practice.
    > 
    > So you're in fact thinking about #2 and identity verification as main
    > purpose behind it?

Both #1 and #2.  Basically, this is best-practice, as established globally 
by the other RIRs.  It works well enough elsewhere.  Obviously one could 
engineer something else if one were starting from scratch, but it would be 
unproven.  This is proven, and good enough, and not much work.  And 
there's no reason for ARIN to be gratuitously different from the rest of 
the world, when the difference is for the worse.

    > I don't understand your reasons. ARIN staff should be free to use any
    > email authentication method relevant to their job duties and they dont
    > need our permission. And I don't  think policy should be used to educate
    > them especially when its basically MAY anyway.

In this case, MAY is as opposed to MAY NOT, rather than as opposed to 
SHOULD or MUST.  The worry of the authors is that internal staff policy 
(as opposed to bottom-up public policy) might later get made which 
precluded staff also signing with their own keys.  We thought, as you do, 
that that would be unfortunate.

                                -Bill