[ppml] Policy Proposal 2007-1 - Staff Assessment
Randy Bush
randy at psg.com
Fri Apr 13 14:27:59 EDT 2007
> 4. In the section "KEY USE IN COMMUNICATION", the proposal requires
> validation of "a chain of trust not longer than five steps" between the
> signing key and ARIN's hostmaster role key, without regard to whether
> such intermediary signers are ARIN POCs, or are even known to ARIN.
> Without direct binding of the PGP key to an ARIN POC record, such
> anonymity in the chain of trust raises serious questions about how ARIN
> staff will know and evaluate that an e-mail from a signer is
> authentically from the ARIN POC that the sender claims to be.
this is critical!
> 5. A PGP-key for hostmaster at arin.net exists on pgp.mit.edu as well
> as other well-known PGP-key repositories. This key was set up during
> the early days of ARIN, and the passphrase for the key is, as of this
> writing, MIA. This prevents ARIN from using the key to sign anything,
> and furthermore prevents ARIN from removing the key from the key
> repositories mentioned above. Although ARIN could proceed by generating
> a new PGP-key, we would need to use a limited distribution mechanism
> that excludes well-known servers, since more than one key for the same
> e-mail address cannot exist in the key servers.
i believe that last assertion to be incorrect
randy
More information about the ARIN-PPML
mailing list