[ppml] Policy Proposal 2007-1: Reinstatement of PGP Authentication Method

Leo Bicknell bicknell at ufp.org
Tue Feb 20 19:26:06 EST 2007


As one of the AC shepards I'd like to solicit some feedback on this
proposal.  During our review several members of ARIN staff and the
AC raised concerns about the exact phrasing of this proposal.  As
a community many have said we don't want to tell ARIN staff how to
operate ARIN through policy, and this proposal has to walk that
line.

I believe it would be valuable to the authors if some community
members could provide their comments on how to best word this policy
such that it accomplishes the goal of making PGP authentication
available while at the same time allowing ARIN staff to have as
much lattitude as possible in the implementation details.

Note, while the discussion is with this policy, as it implements
something new, it goes hand in hand with 2007-2 and 2007-3, which
seek to update the documentation for Mail From and X.509 to be
complementary.

As always, we also need more comments on if you are for or against
this policy.

In a message written on Fri, Feb 16, 2007 at 05:48:22PM -0500, Member Services wrote:
> On 15 February 2007 the ARIN Advisory Council (AC) concluded its review
> of 'Reinstatement of PGP Authentication Method' and accepted it as a
> formal policy proposal for discussion by the community.
> 
> The proposal is designated Policy Proposal 2007-1: Reinstatement of PGP
> Authentication Method. The proposal text is below and can be found at:
> http://www.arin.net/policy/proposals/2007_1.html
> 
> All persons in the community are encouraged to discuss Policy Proposal
> 2007-1 prior to it being presented at the ARIN Public Policy Meeting in
> San Juan, Puerto Rico, 23-24 April 2007. Both the discussion on the
> Public Policy Mailing List and at the Public Policy Meeting will be used
> to determine the community consensus regarding this policy proposal.
> 
> The ARIN Internet Resource Policy Evaluation Process can be found at:
> http://www.arin.net/policy/irpep.html
> 
> ARIN's Policy Proposal Archive can be found at:
> http://www.arin.net/policy/proposals/proposal_archive.html
> 
> Regards,
> 
> Member Services
> American Registry for Internet Numbers (ARIN)
> 
> 
> ## * ##
> 
> 
> Policy Proposal 2007-1: Reinstatement of PGP Authentication Method
> 
> Authors:
> Paul Vixie,
> Mark Kosters,
> Chris Morrow,
> Jared Mauch,
> Bill Woodcock
> 
> Proposal type: New
> 
> Policy term: Permanent
> 
> Policy statement:
> 
> ADDITION TO NRPM
> 
> 12 Authentication Methods
> 
> 12.1 Mail-From
> This section intentionally left blank.
> 
> 12.2 PGP
> ARIN accepts PGP-signed email as authentic communication from authorized
> Points of Contact. POCs may denote their records "crypt-auth,"
> subsequent to which unsigned communications shall not be deemed
> authentic with regard to those records.
> 
> 12.3 X.509
> This section intentionally left blank.
> 
> UPDATES TO TEMPLATES
> 
> ARIN shall update templates as necessary to identify and distinguish
> between mail-from, PGP, and X.509 authentication methods.
> 
> UPDATES TO DOCUMENTATION
> 
> ARIN shall update documentation as appropriate to explain the
> differences between mail-from, PGP, and X.509 authentication methods.
> 
> KEY USE IN COMMUNICATION:
> 
> ARIN shall accept PGP-signed communications, validate that a chain of
> trust not longer than five steps exists between the signing key and the
> ARIN hostmaster role key, compare the signing key to the identity of the
> authorized POCs for records referenced in the correspondence, and act
> appropriately based upon the validity or invalidity of the signature.
> 
> ARIN shall PGP-sign all outgoing hostmaster email with the hostmaster
> role key, and staff members may optionally also sign mail with their own
> individual keys.
> 
> ARIN shall accept PGP-encrypted communications which are encrypted using
> ARIN's hostmaster public key.
> 
> ARIN shall not encrypt any outgoing communications except at the prior
> request of the recipient.
> 
> Rationale:
> 
> Globally, PGP is the most commonly used cryptographic authentication
> method between RIRs and resource recipients who wish to protect their
> resource registration records against unauthorized modification. The
> PGP-auth authentication method is supported by RIPE, APNIC, and AfriNIC,
> LACNIC supports an equivalent mechanism, and PGP was historically
> supported by the InterNIC prior to ARIN's formation. By contrast,
> current ARIN resource recipients have only two options: "mail-from,"
> which is trivially spoofed and should not be relied upon to protect
> important database objects, and X.509, which involves a rigorous and
> lengthy proof-of-identity process and compels use of a compatible MUA, a
> combination which has dissuaded essentially all of ARIN's constituents.
> Additionally, X.509's centralized failure mode is technically and
> ideologically repugnant to some members of the community, who should not
> be forced to choose between two evils.
> 
> There isn't a lot of work to do here, and certainly nothing tricky. PGP
> is simple code, which was supported by the InterNIC, and which the other
> RIRs deployed without a second thought or complaint. If RIPE and APNIC
> have always done this, the InterNIC did it before ARIN was formed, and
> LACNIC and AfriNIC took the need for cryptographic security for granted
> as a part of their startup process, we see no reason why ARIN should be
> the only RIR to not offer this most basic of protections to its members.
> 
> We need to get PGP support reinstated, so that our records can be
> protected against hijacking and vandalism, and so we won't look like
> idiots as the only one of the five regions that can't figure this stuff out.
> 
> Timetable for implementation: Immediate
> 
> _______________________________________________
> PPML mailing list
> PPML at arin.net
> http://lists.arin.net/mailman/listinfo/ppml

-- 
       Leo Bicknell - bicknell at ufp.org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/
Read TMBG List - tmbg-list-request at tmbg.org, www.tmbg.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20070220/07397388/attachment-0001.sig>


More information about the ARIN-PPML mailing list