[ppml] 2007-1, was Re: mail auth proposals
woody at pch.net
Fri Apr 13 05:25:09 EDT 2007
On Thu, 12 Apr 2007, william(at)elan.net wrote:
> > We don't feel that ARIN should apply something other than the
> > normally-accepted PGP authentication process (check government-issued
> > photo ID in the physical presence of the other person, and hear their
> > key
> > fingerprint from them directly). There's a right way to do it, and ARIN
> > shouldn't break an established practice.
> So you're in fact thinking about #2 and identity verification as main
> purpose behind it?
Both #1 and #2. Basically, this is best-practice, as established globally
by the other RIRs. It works well enough elsewhere. Obviously one could
engineer something else if one were starting from scratch, but it would be
unproven. This is proven, and good enough, and not much work. And
there's no reason for ARIN to be gratuitously different from the rest of
the world, when the difference is for the worse.
> I don't understand your reasons. ARIN staff should be free to use any
> email authentication method relevant to their job duties and they dont
> need our permission. And I don't think policy should be used to educate
> them especially when its basically MAY anyway.
In this case, MAY is as opposed to MAY NOT, rather than as opposed to
SHOULD or MUST. The worry of the authors is that internal staff policy
(as opposed to bottom-up public policy) might later get made which
precluded staff also signing with their own keys. We thought, as you do,
that that would be unfortunate.
More information about the ARIN-PPML