[arin-ppml] ARIN validation of authorized contacts

George, Wes E [NTK] Wesley.E.George at sprint.com
Thu Mar 31 08:53:51 EDT 2011


John - thanks for your response. A couple of comments below inline
Wes

-----Original Message-----
From: John Curran [mailto:jcurran at arin.net] 
Sent: Thursday, March 31, 2011 8:16 AM
Subject: Re: [arin-ppml] ARIN validation of authorized contacts

On Mar 31, 2011, at 7:34 AM, George, Wes E [NTK] wrote:

> That is, how do you prove to ARIN that:
> a) you are who you say you are
We seek government-issued identification for this purpose.

[WEG] How does that work if you're working entirely via email? Most of your customers don't exactly walk into your office. I don't
remember being asked to provide any ID prior to being made the primary POC for an X-Large resource holder... I mean, in my case, one
of the existing POCs added me, so in that sense, they vouched for my identity, but that could have just as easily been a compromised
password that someone uses to update this information.

> b) that you are actually an agent for the company you are purportedly 
> representing
> c) that you are authorized to request changes on behalf of said company.
These are addressed by requiring officer attestation for requests

[WEG] Sure, for new resource requests. What about changes being requested to whois data, POC records, reverse DNS delegation, etc?


> As we look at the SIDR origin validation implementation, where ARIN would be providing Resource Certificates for the rightful
owner > to originate an announcement of a given block of addresses, I think this becomes more than just an annoyance.

We will only provide certificates to the address holder per the ARIN Whois database.
[WEG] Exactly my point. Unless you have a way of securing and vouching for the validity of those whois POC records, this is an
attack vector. We had a subsidiary that we bought, and the address POC records had not been updated to point to our common address
management team yet. In the meantime, a former employee of the subsidiary updated the records so that they now pointed to his new
company, and so it looked like *we* were actually the ones using the addresses without authorization. They threatened us that they
would start announcing the blocks within a few weeks until ARIN restored the correct address records. What happens if someone uses
this to pull down a certification and doesn't warn the original owner first?
I will try to bring this up at open mic, but I wanted to start some discussion here among some who may have ideas on the security
BCP that would be appropriate here.
 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6781 bytes
Desc: not available
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20110331/c8d99937/attachment.p7s>


More information about the ARIN-PPML mailing list