[ppml] Policy Proposal 2007-1 - Staff Assessment

Randy Bush randy at psg.com
Fri Apr 13 18:45:25 EDT 2007


>>>      4. In the section "KEY USE IN COMMUNICATION", the
>>> proposal requires validation of "a chain of trust not longer than
>>> five steps" between the signing key and ARIN's hostmaster
>>> role key, without regard to whether such intermediary signers
>>> are ARIN POCs, or are even known to ARIN.  Without direct
>>> binding of the PGP key to an ARIN POC record, such
>>> anonymity in the chain of trust raises serious questions about
>>> how ARIN staff will know and evaluate that an e-mail from a
>>> signer is authentically from the ARIN POC that the sender
>>> claims to be.
>>
>> this is critical!
> 
> I think folks are confusing authentication with authorization here

yes.  when i give my public pgp key to arin, i am saying
  o you know it is i because i can sign things with the private key
    which matches this public key (authentication), and
  o our contract authorizes me to conduct certain classes of
    transactions with arin (authorization)

if i sign joe's key wi the private key, this might give arin some warm
fuzzies that joe is joe (or not).  but what it does not do is say that
joe is authorized to conduct any transactions with arin.

transitive pgp has no way of expressing what authorization is being
transferred.

randy



More information about the ARIN-PPML mailing list