[ppml] Policy Proposal 2007-1 - Last Call
stephen at sprunk.org
Thu Apr 26 12:56:20 EDT 2007
Thus spake "Edward Lewis" <Ed.Lewis at neustar.biz>
>I thought I understood Randy's objection, but after a re-read I don't
> think I do. Still, I believe that any chain relying on non-ARIN
> (approved) trusted introductions is a bad idea.
> Let's say I get someone to sign a key for me with an identity of
> Owen DeLong. If ARIN accepts that someone as a trusted
> introducer, then how can ARIN distinguish between templates
> submitted by me signed with my Owen key and templates Owen
> genuinely submits?
> Authorization policy is undermined by weakness in the
> authentication method.
All valid objections, and ones that counsel noted, but one must remember
that MAIL-FROM authentication means that today anyone can send in an email
template with Owen's From: address and it'll be considered "authentic".
While I agree there's potential for fraud with PGP, pulling it off in
practice is more difficult than what we have today and the proposal should
not be rejected solely on those grounds.
I do urge the AC to reduce the number of steps in the chain before moving
this proposal forward. Five seems to be way too many; I'd be happiest with
one, but I'd accept two or three.
Stephen Sprunk "Those people who think they know everything
CCIE #3723 are a great annoyance to those of us who do."
K5SSS --Isaac Asimov
More information about the ARIN-PPML