[ppml] Policy Proposal 2007-1 - Last Call

Edward Lewis Ed.Lewis at neustar.biz
Thu Apr 26 14:26:33 EDT 2007


At 11:56 -0500 4/26/07, Stephen Sprunk wrote:

>All valid objections, and ones that counsel noted, but one must remember that
>MAIL-FROM authentication means that today anyone can send in an email
>template with Owen's From: address and it'll be considered "authentic". While
>I agree there's potential for fraud with PGP, pulling it off in practice is
>more difficult than what we have today and the proposal should not be rejected
>solely on those grounds.

I have been reviewing the proposals as much as possible individually, 
meaning I try not to compare the merits of one versus the other.  I 
haven't been trying to compare PGP to mail-from, but there is no 
doubt that any approach to security using PGP is better than relying 
on mail-from.  I just haven't considered settling for a "step up" as 
the goal - not to argue, but to let you know my frame of reference.

>I do urge the AC to reduce the number of steps in the chain before moving this
>proposal forward.  Five seems to be way too many; I'd be happiest with one,
>but I'd accept two or three.

Being that I am not a fan of PGP (I am not against it, but do not use 
it after my experience working with it about 8 years ago at a company 
that bought the rights to it from Zimmerman and then ditched the 
product before selling a copy), I would like to hear, from the 
proposal authors perhaps, why the number 5 is in the policy proposal.

(When I say I am not a fan, take that as I am not someone who has 
full and accurate knowledge of the technology and isn't about to set 
down my other duties to go and study up on it.  I am not against PGP, 
maybe I just don't understand some fine point.)

BTW, I am sympathetic to Dillon's belief that this is too detailed 
for PPML, but, it is in the proposal and there really is no other 
venue to cover this within the ARIN umbrella of discussion fora.

When I read the policy proposal 2007-1, my vision of five steps was 
from Pat Blow's keys signed by Menynty Encyunse in Elbonia, signed by 
the mythical $mail-troll, signed by someone that has legacy space but 
managed to have PGP keys signed by ARIN.

Perhaps the vision of the authors would be more along the lines of 
"IP-admin-role-of-Bill's-Bait-n-Sushi-ISP" signed by 
"Bill's-Bait-n-Sushi-ISP" signed by ARIN.

In the latter case, I can see a multi-step $word-of-trust being used, 
but not in the former case.
Edward Lewis                                                +1-571-434-5468

Sarcasm doesn't scale.

More information about the ARIN-PPML mailing list