[ppml] Policy Proposal 2007-1 - Staff Assessment
stephen at sprunk.org
Fri Apr 13 18:01:02 EDT 2007
Thus spake "Randy Bush" <randy at psg.com>
>> 4. In the section "KEY USE IN COMMUNICATION", the
>> proposal requires validation of "a chain of trust not longer than
>> five steps" between the signing key and ARIN's hostmaster
>> role key, without regard to whether such intermediary signers
>> are ARIN POCs, or are even known to ARIN. Without direct
>> binding of the PGP key to an ARIN POC record, such
>> anonymity in the chain of trust raises serious questions about
>> how ARIN staff will know and evaluate that an e-mail from a
>> signer is authentically from the ARIN POC that the sender
>> claims to be.
> this is critical!
I think folks are confusing authentication with authorization here (which is
common). The number of steps through the web of trust indicates how much
confidence one has when authenticating a sender. It has nothing to do with
authorizing the sender to perform a given action.
For instance, if bob at foo.com signs a key for john at bar.com, ARIN could
legitimately consider mail from john at bar.com to be authentic if ARIN trusts
bob at foo.com. Still, ARIN would only allow john at bar.com to update FooCorp's
records if he was a POC for FooCorp. Or is my understanding of the proposal
wrong? I doubt that, if someone at AT&T signs a key of someone at Verizon,
the authors intended to let Verizon modify all of AT&T's resources...
I happen to think five steps is excessive, and would like that revised
lower, but by itself that's not enough reason for me to be against this
proposal. Still, counsel's reasonable concerns about liability may require
us to eliminate the chain of trust entirely.
>> Although ARIN could proceed by generating a new PGP-key,
>> we would need to use a limited distribution mechanism that
>> excludes well-known servers, since more than one key for the
>> same e-mail address cannot exist in the key servers.
> i believe that last assertion to be incorrect
I know for a fact it's incorrect; the same thing happened to me years ago
and the keyserver network now has several different keys for me (only one of
which I still possess).
Still, I'd expect that the keyserver operators would cooperate with removing
ARIN's old key if contacted by non-electronic means. They might not (er,
won't) do this for individuals, but ARIN does have standing in the community
that warrants an exception...
Also, it's possible to have multiple email addresses attached to the same
key, allowing hostmaser@, reassign@, and any other role addresses to use the
same key. However, non-role addresses should not be added since they
effectively cannot be removed.
Stephen Sprunk "Those people who think they know everything
CCIE #3723 are a great annoyance to those of us who do."
K5SSS --Isaac Asimov
More information about the ARIN-PPML