[ppml] Policy Proposal 2007-1 - Staff Assessment

Randy Bush randy at psg.com
Fri Apr 13 14:27:59 EDT 2007


>      4.	In the section "KEY USE IN COMMUNICATION", the proposal requires
> validation of "a chain of trust not longer than five steps" between the
> signing key and ARIN's hostmaster role key, without regard to whether
> such intermediary signers are ARIN POCs, or are even known to ARIN.
> Without direct binding of the PGP key to an ARIN POC record, such
> anonymity in the chain of trust raises serious questions about how ARIN
> staff will know and evaluate that an e-mail from a signer is
> authentically from the ARIN POC that the sender claims to be.

this is critical!

>      5.	A PGP-key for hostmaster at arin.net exists on pgp.mit.edu as well
> as other well-known PGP-key repositories.  This key was set up during
> the early days of ARIN, and the passphrase for the key is, as of this
> writing, MIA.  This prevents ARIN from using the key to sign anything,
> and furthermore prevents ARIN from removing the key from the key
> repositories mentioned above.  Although ARIN could proceed by generating
> a new PGP-key, we would need to use a limited distribution mechanism
> that excludes well-known servers, since more than one key for the same
> e-mail address cannot exist in the key servers.

i believe that last assertion to be incorrect

randy



More information about the ARIN-PPML mailing list