[ppml] 2007-1, was Re: mail auth proposals

Edward Lewis Ed.Lewis at neustar.biz
Thu Apr 12 10:12:54 EDT 2007

At 0:58 -0700 4/12/07, william(at)elan.net wrote:

>   1. To verify that email address sent to ARIN really came from listed
>      email address
>   2. To verify that the person sending the email and using email address
>      is really who he says he is
>Two other email authentication methods being proposed focus only on #1
>and in fact there is no way to do #2 with them at all. PGP does allow
>#2 which happens during direct key signing (i.e. somebody from ARIN
>verifies identity of the person with such and such PGP key) and less
>directly through PGP chain of trust.

Neither, really, is the goal of signing a message.  A signature over 
a message only means that someone with access to the private key 
calculated the signature.  Regardless of the email address used to 
send it, regardless of the true author of the message, regardless of 
whether this was even an email delivery.

I think that this is too fine a detail though.  It is reasonable to 
believe that a POC will create a key pair, present the public one to 
ARIN along with meta-data to validate that the key is the POC's and 
keep the private one appropriately secure.  The POC will then most 
likely use the key in an application which will sign templates are 
they are mailed to ARIN.  That is reasonable, although there are 
other scenarios.

The point of using PGP or X509 (and realize they are "service 
equivalents" but the mechanics are different) is to remove the need 
for "mail-from" so neither #1 nor #2 are goals - it doesn't matter 
what the sending email address is.  If I have access to my private 
key but not my email I should be able to send in a signed template.

When a template is submitted under mail-from, there is no "claimed 
identity," that is the sender is inferred via the authentication 
process.  (Look at a template you have submitted.  Where is there a 
"who is requesting this?" field.)  With a certificate mechanism, 
whether PGP or X.509, the claimed identity of the sender of the 
template is in the identity field of the certificate, and the binding 
of the message to that identity is verified via analysis of the 
signature.  When you begin the authorization step (i.e., is the 
sender allowed to ask this) by inferring the sender, the process is 
much more complicated than if you at least know who the sender claims 
to be.

Removing mail-from has other benefits besides just making template 
submission more secure.  For one, only mail-from requires that the 
submission be in mail.
Edward Lewis                                                +1-571-434-5468

Sarcasm doesn't scale.

More information about the ARIN-PPML mailing list