[ppml] Policy Proposal 2007-1 - Last Call

Stephen Sprunk stephen at sprunk.org
Thu Apr 26 12:56:20 EDT 2007

Thus spake "Edward Lewis" <Ed.Lewis at neustar.biz>
>I thought I understood Randy's objection, but after a re-read I don't
> think I do.  Still, I believe that any chain relying on non-ARIN
> (approved) trusted introductions is a bad idea.
> Let's say I get someone to sign a key for me with an identity of
> Owen DeLong.  If ARIN accepts that someone as a trusted
> introducer, then how can ARIN distinguish between templates
> submitted by me signed with my Owen key and templates Owen
> genuinely submits?
> Authorization policy is undermined by weakness in the
> authentication method.

All valid objections, and ones that counsel noted, but one must remember 
that MAIL-FROM authentication means that today anyone can send in an email 
template with Owen's From: address and it'll be considered "authentic". 
While I agree there's potential for fraud with PGP, pulling it off in 
practice is more difficult than what we have today and the proposal should 
not be rejected solely on those grounds.

I do urge the AC to reduce the number of steps in the chain before moving 
this proposal forward.  Five seems to be way too many; I'd be happiest with 
one, but I'd accept two or three.


Stephen Sprunk      "Those people who think they know everything
CCIE #3723         are a great annoyance to those of us who do."
K5SSS                                             --Isaac Asimov 

More information about the ARIN-PPML mailing list