[ppml] Policy Proposal 2007-1 - Staff Assessment
Randy Bush
randy at psg.com
Fri Apr 13 18:45:25 EDT 2007
>>> 4. In the section "KEY USE IN COMMUNICATION", the
>>> proposal requires validation of "a chain of trust not longer than
>>> five steps" between the signing key and ARIN's hostmaster
>>> role key, without regard to whether such intermediary signers
>>> are ARIN POCs, or are even known to ARIN. Without direct
>>> binding of the PGP key to an ARIN POC record, such
>>> anonymity in the chain of trust raises serious questions about
>>> how ARIN staff will know and evaluate that an e-mail from a
>>> signer is authentically from the ARIN POC that the sender
>>> claims to be.
>>
>> this is critical!
>
> I think folks are confusing authentication with authorization here
yes. when i give my public pgp key to arin, i am saying
o you know it is i because i can sign things with the private key
which matches this public key (authentication), and
o our contract authorizes me to conduct certain classes of
transactions with arin (authorization)
if i sign joe's key wi the private key, this might give arin some warm
fuzzies that joe is joe (or not). but what it does not do is say that
joe is authorized to conduct any transactions with arin.
transitive pgp has no way of expressing what authorization is being
transferred.
randy
More information about the ARIN-PPML
mailing list