[ppml] Policy Proposal 2007-1 - Last Call
Ed.Lewis at neustar.biz
Thu Apr 26 14:26:33 EDT 2007
At 11:56 -0500 4/26/07, Stephen Sprunk wrote:
>All valid objections, and ones that counsel noted, but one must remember that
>MAIL-FROM authentication means that today anyone can send in an email
>template with Owen's From: address and it'll be considered "authentic". While
>I agree there's potential for fraud with PGP, pulling it off in practice is
>more difficult than what we have today and the proposal should not be rejected
>solely on those grounds.
I have been reviewing the proposals as much as possible individually,
meaning I try not to compare the merits of one versus the other. I
haven't been trying to compare PGP to mail-from, but there is no
doubt that any approach to security using PGP is better than relying
on mail-from. I just haven't considered settling for a "step up" as
the goal - not to argue, but to let you know my frame of reference.
>I do urge the AC to reduce the number of steps in the chain before moving this
>proposal forward. Five seems to be way too many; I'd be happiest with one,
>but I'd accept two or three.
Being that I am not a fan of PGP (I am not against it, but do not use
it after my experience working with it about 8 years ago at a company
that bought the rights to it from Zimmerman and then ditched the
product before selling a copy), I would like to hear, from the
proposal authors perhaps, why the number 5 is in the policy proposal.
(When I say I am not a fan, take that as I am not someone who has
full and accurate knowledge of the technology and isn't about to set
down my other duties to go and study up on it. I am not against PGP,
maybe I just don't understand some fine point.)
BTW, I am sympathetic to Dillon's belief that this is too detailed
for PPML, but, it is in the proposal and there really is no other
venue to cover this within the ARIN umbrella of discussion fora.
When I read the policy proposal 2007-1, my vision of five steps was
from Pat Blow's keys signed by Menynty Encyunse in Elbonia, signed by
the mythical $mail-troll, signed by someone that has legacy space but
managed to have PGP keys signed by ARIN.
Perhaps the vision of the authors would be more along the lines of
"IP-admin-role-of-Bill's-Bait-n-Sushi-ISP" signed by
"Bill's-Bait-n-Sushi-ISP" signed by ARIN.
In the latter case, I can see a multi-step $word-of-trust being used,
but not in the former case.
Edward Lewis +1-571-434-5468
Sarcasm doesn't scale.
More information about the ARIN-PPML