[ppml] Policy Proposal 2007-1 - Last Call

michael.dillon at bt.com michael.dillon at bt.com
Thu Apr 26 12:25:14 EDT 2007 

> Let's say I get someone to sign a key for me with an identity of Owen 
> DeLong.  If ARIN accepts that someone as a trusted introducer, then 
> how can ARIN distinguish between templates submitted by me signed 
> with my Owen key and templates Owen genuinely submits?

On the surface, this sounds like a valid objection. In the absence of
comment from a recognized and trusted voice in the security field, I can
think of nothing to say that would alleviate your fears. This doesn't
mean that I don't know the answer to your concern but it means that
because security is a secondary area of expertise for me, I have no
certificates, I don't speak at security conferences and I don't publish
papers in the field of security. Therefore, from a policy point of view,
I recommend that people should not trust any security advice that I
give. In fact, I believe that there are very, very few PPML participants
(maybe none) who have recognized security expertise.

Therefore, such technical details of security SHOULD NOT BE IN POLICY!!!

Language such as the following would be far superior to limiting the
chain of trust to 5 steps:

   ARIN will publish guidelines describing how 
   it makes use of PGP for authentication. These
   guidelines will be written in accordance with 
   accepted industry standards for security and
   will be signed off by a recognized security expert
   before being implemented. The published guidelines
   will include a description of the conditions under
   which ARIN will accept a PGP key for authentication.

After that, I would not be surprised to see the guidelines mention a
chain of trust with 5 steps. I would not be surprised if ARIN technical
staff get in a security consultant to review the entire authentication
architecture. And I would not be surprised if the guidelines change so
that it is no longer simply 5 steps in the chain of trust. Maybe it will
end up being 3 steps with step 1 being ARIN staff, step 2 being an ARIN
resource holder, and step 3 being Joe Bloe. Who knows? But these details
do NOT belong in policy. 

And the detailed technical discussion does NOT belong on PPML.

--Michael Dillon

More information about the ARIN-PPML mailing list