[arin-ppml] Policy question
Jimmy Hess
mysidia at gmail.com
Thu Sep 20 00:31:18 EDT 2012
On 9/19/12, Steve Noble <snoble at sonn.com> wrote:
> It's an interesting subject. It must rely on what ARIN defines authorized
> If the object is protected by an email address, the person with the
> email address would be assumed to be authorized. If protected by PGP,
> MD5 or CRYPT-PW, then the same thing would apply. If someone steals
ARIN doesn't allow you to register a PGP key with them anymore, to
sign templates with, MD5 and CRYPT-PW are also not options, so only
relatively insecure means are available to authenticate requests:
namely, an API key, a static token which must be generated once,
and then sent in plaintext over e-mail with each request, which could
be subject to abuse if mail was intercepted by an attacker, but that
is the only method of authentication for e-mail templates that I am
aware of.
It is possible that someone unauthorized to make a change to an entry,
could gain control of the e-mail address, then they could review old
mail in the "Sent Items" folder to collect the API key, and would
"appear authorized" to send new templates, and initiate an
unauthorized request to allocate, transfer, or change contact info on
address resources, as far as the automated system is concerned it
would validate as "authorized", but
actually, it would be an unauthorized change, hopefully subject to
policy such as that.
> If ARIN means by hacking the database (literally), then that would
> certainly be a issue that they would deal with but that would not
> affect a company who is authorized to modify the object.
--
-JH
More information about the ARIN-PPML
mailing list