[ppml] Policy Proposal 2007-1 - Staff Assessment

michael.dillon at bt.com michael.dillon at bt.com
Sun Apr 15 18:20:29 EDT 2007


> In which you suggested a distance of 1, rather than, say, somewhere 
> between 2 and 5.  Yes, if that were to be done, it would make 
> PGP just as 
> useless as X.509, thereby making X.509 not look quite so bad by 
> comparison.  What of it?

If I understand this argument correctly, it centers on how many steps in
the chain should be allowed when deciding to accept a PGP key as
authentication of the person submitting some type of transaction.

If, one assumed that BOTH authentication and authorization were
established by a valid key, then ARIN should not accept more than 1
step, namely, only keys signed by ARIN's key would be acceptable.

However, if one does not make that assumption, and assumes that
authorization is established out-of-band through some other business
process (letter, phone call, etc.) then more steps in the chain are
acceptable and Bill's policy language is fine as it is. The purpose for
a limit of 5 steps is just to keep things reasonably under control. The
PGP key will only be used to authenticate transactions as originating
from a certain individual who is already in ARIN's db as an authorized
individual.

The authorization then happens once per indivudual, and the
authentication happens on every single transaction.

Therefore, there really is no argument between Bill and Randy, just a
misunderstanding of assumptions.

--Michael Dillon



More information about the ARIN-PPML mailing list