[arin-ppml] Policy question

[Jimmy Hess]

On 9/19/12, Steve Noble <snoble at sonn.com> wrote:
> It's an interesting subject.  It must rely on what ARIN defines authorized

> If the object is protected by an email address, the person with the
> email address would be assumed to be authorized.  If protected by PGP,
> MD5 or CRYPT-PW, then the same thing would apply.  If someone steals

ARIN doesn't allow you to register a PGP key with them anymore, to
sign templates with, MD5 and CRYPT-PW are also not options,  so only
relatively insecure means are available to authenticate requests:
namely, an   API  key, a static token which must be generated once,
and then sent in plaintext over e-mail with each request,  which could
be subject to abuse if mail was intercepted by an attacker,  but that
is the only method of authentication for e-mail templates that I am
aware of.


It is possible that someone unauthorized to make a change to an entry,
could gain control of the e-mail address,  then they could review old
mail in the "Sent Items" folder to collect the API key, and would
"appear authorized"  to send new templates,  and initiate an
unauthorized request to allocate, transfer, or change contact info on
address resources,  as far as the automated system is concerned it
would validate as "authorized", but

actually, it would be an unauthorized change,   hopefully subject to
policy such as that.

> If ARIN means by hacking the database (literally), then that would
> certainly be a issue that they would deal with but that would not
> affect a company who is authorized to modify the object.

--
-JH