[ppml] Policy Proposal 2007-1 - Staff Assessment

Sat Apr 14 01:28:50 EDT 2007

      On Fri, 13 Apr 2007, Stephen Sprunk wrote:
    > If bob at foo.com signs a key for john at bar.com, ARIN could 
    > legitimately consider mail from john at bar.com to be authentic if ARIN trusts 
    > bob at foo.com.  Still, ARIN would only allow john at bar.com to update FooCorp's 
    > records if he was a POC for FooCorp.

Yes, that is correct.  The proposal neither says nor intends anything more 
than that.

    > I happen to think five steps is excessive, and would like that revised 
    > lower, but by itself that's not enough reason for me to be against this 
    > proposal.

None of us have any stake in the number.  As I said before, I think all of 
us would be just as happy with 2 as 5.  1 is too short, and 6 is 
definitely too long.  But somewhere between 2 and 5 would seem to be a 
reasonable window.

    > Counsel's reasonable concerns about liability may require 
    > us to eliminate the chain of trust entirely.

With all due respect to my colleague Mr. Ryan, the alternative is 
mail-from.  I think that needs to be kept in mind, when one speaks of 
relative liability.

    > I know for a fact it's incorrect; the same thing happened to me years ago 
    > and the keyserver network now has several different keys for me (only one of 
    > which I still possess).
    > 
    > Still, I'd expect that the keyserver operators would cooperate with removing 
    > ARIN's old key if contacted by non-electronic means.

Yes, I believe both of these to be true, and pertinent.

                                -Bill