[ppml] Policy Proposal 2007-1 - Last Call
william(at)elan.net
william at elan.net
Thu Apr 26 07:38:31 EDT 2007
Is the proposal going in as-is or would the text be changed in some way?
On Wed, 25 Apr 2007, Member Services wrote:
> Policy Proposal 2007-1
> Reinstatement of PGP Authentication Method
>
> The ARIN Advisory Council (AC), acting under the provisions of the ARIN
> Internet Resource Policy Evaluation Process (IRPEP), determined that
> there is community consensus in favor of the proposal and moved it to
> last call. The AC made this determination at their meeting at the
> conclusion of the ARIN Public Policy meeting on 24 April 2007. The Chair
> of the AC reported the results of the AC meeting during the Members
> Meeting. The AC Chair's report can be found at:
> http://www.arin.net/meetings/minutes/ARIN_XIX/mem.html
>
> The policy proposal text is provided below and is also available at:
> http://www.arin.net/policy/proposals/2007_1.html
>
> Comments are encouraged. All comments should be provided to
> ppml at arin.net. This last call will expire at 23:59, Eastern Time, 9 May
> 2007.
>
> The ARIN Internet Resource Policy Evaluation Process can be found at:
> http://www.arin.net/policy/irpep.html
>
> Regards,
>
> Member Services
> American Registry for Internet Numbers (ARIN)
>
>
> ##*##
>
>
> Policy Proposal 2007-1
> Reinstatement of PGP Authentication Method
>
> Proposal type: New
>
> Policy term: Permanent
>
> Policy statement:
>
> ADDITION TO NRPM
>
> 12 Authentication Methods
>
> 12.1 Mail-From
> This section intentionally left blank.
>
> 12.2 PGP
> ARIN accepts PGP-signed email as authentic communication from authorized
> Points of Contact. POCs may denote their records "crypt-auth,"
> subsequent to which unsigned communications shall not be deemed
> authentic with regard to those records.
>
> 12.3 X.509
> This section intentionally left blank.
>
> UPDATES TO TEMPLATES
>
> ARIN shall update templates as necessary to identify and distinguish
> between mail-from, PGP, and X.509 authentication methods.
>
> UPDATES TO DOCUMENTATION
>
> ARIN shall update documentation as appropriate to explain the
> differences between mail-from, PGP, and X.509 authentication methods.
>
> KEY USE IN COMMUNICATION:
>
> ARIN shall accept PGP-signed communications, validate that a chain of
> trust not longer than five steps exists between the signing key and the
> ARIN hostmaster role key, compare the signing key to the identity of the
> authorized POCs for records referenced in the correspondence, and act
> appropriately based upon the validity or invalidity of the signature.
>
> ARIN shall PGP-sign all outgoing hostmaster email with the hostmaster
> role key, and staff members may optionally also sign mail with their own
> individual keys.
>
> ARIN shall accept PGP-encrypted communications which are encrypted using
> ARIN's hostmaster public key.
>
> ARIN shall not encrypt any outgoing communications except at the prior
> request of the recipient.
> Policy Rationale
>
> Rationale:
>
> Globally, PGP is the most commonly used cryptographic authentication
> method between RIRs and resource recipients who wish to protect their
> resource registration records against unauthorized modification. The
> PGP-auth authentication method is supported by RIPE, APNIC, and AfriNIC,
> LACNIC supports an equivalent mechanism, and PGP was historically
> supported by the InterNIC prior to ARIN's formation. By contrast,
> current ARIN resource recipients have only two options: "mail-from,"
> which is trivially spoofed and should not be relied upon to protect
> important database objects, and X.509, which involves a rigorous and
> lengthy proof-of-identity process and compels use of a compatible MUA, a
> combination which has dissuaded essentially all of ARIN's constituents.
> Additionally, X.509's centralized failure mode is technically and
> ideologically repugnant to some members of the community, who should not
> be forced to choose between two evils.
>
> There isn't a lot of work to do here, and certainly nothing tricky. PGP
> is simple code, which was supported by the InterNIC, and which the other
> RIRs deployed without a second thought or complaint. If RIPE and APNIC
> have always done this, the InterNIC did it before ARIN was formed, and
> LACNIC and AfriNIC took the need for cryptographic security for granted
> as a part of their startup process, we see no reason why ARIN should be
> the only RIR to not offer this most basic of protections to its members.
>
> We need to get PGP support reinstated, so that our records can be
> protected against hijacking and vandalism, and so we won't look like
> idiots as the only one of the five regions that can't figure this stuff out.
>
> Timetable for implementation: Immediate
>
> _______________________________________________
> This message sent to you through the ARIN Public Policy Mailing List
> (PPML at arin.net).
> Manage your mailing list subscription at:
> http://lists.arin.net/mailman/listinfo/ppml
More information about the ARIN-PPML
mailing list