<HTML><BODY style="word-wrap: break-word; -khtml-nbsp-mode: space; -khtml-line-break: after-white-space; "><DIV><SPAN class="Apple-style-span"><B> 1. Policy Proposal Name:</B> Reinstatement of PGP Authentication Method</SPAN></DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV><B> 2. Authors:</B></DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV> 1. name: Paul Vixie</DIV><DIV> 2. email: <A href="mailto:paul@vix.com">paul@vix.com</A></DIV><DIV> 3. telephone: +1 650 423 1300</DIV><DIV> 4. organization: Internet Systems Consortium</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV> 1. name: Mark Kosters</DIV><DIV> 2. email: <A href="mailto:markk@verisignlabs.com">markk@verisignlabs.com</A></DIV><DIV> 3. telephone: +1 703 948 3200</DIV><DIV> 4. organization: Verisign</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV> 1. name: Chris Morrow</DIV><DIV> 2. email: <A href="mailto:christopher.morrow@verizonbusiness.com">christopher.morrow@verizonbusiness.com</A></DIV><DIV> 3. telephone: +1 703 886 3823</DIV><DIV> 4. organization: Verizon Business/UUnet</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV> 1. name: Jared Mauch</DIV><DIV> 2. email: <A href="mailto:jmauch@us.ntt.net">jmauch@us.ntt.net</A></DIV><DIV> 3. telephone: +1 214 915 1356</DIV><DIV> 4. organization: NTT/Verio</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV> 1. name: Bill Woodcock</DIV><DIV> 2. email: <A href="mailto:woody@pch.net">woody@pch.net</A></DIV><DIV> 3. telephone: +1 415 831 3100</DIV><DIV> 4. organization: Packet Clearing House</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV><SPAN class="Apple-style-span"><B> 3. Proposal Version:</B> 1</SPAN></DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV><SPAN class="Apple-style-span"><B> 4. Submission Date:</B> Tuesday, October 24, 2006</SPAN></DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV><SPAN class="Apple-style-span"><B> 5. Proposal type:</B> New</SPAN></DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV><SPAN class="Apple-style-span"><B> 6. Policy term:</B> Permanent</SPAN></DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV><B> 7. Policy statement:</B></DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV> ADDITION TO NRPM</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV> 3.5 Authentication Methods</DIV><DIV> ARIN supports three authentication methods for</DIV><DIV> communication with resource recipients.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV> 3.5.1 Mail-From</DIV><DIV> This section intentionally left blank.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV> 3.5.2 PGP</DIV><DIV> ARIN accepts PGP-signed email as authentic</DIV><DIV> communication from authorized Points of Contact. POCs</DIV><DIV> may denote their records "crypt-auth," subsequent to</DIV><DIV> which unsigned communications shall not be deemed</DIV><DIV> authentic with regard to those records.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV> 3.5.3 X.509</DIV><DIV> This section intentionally left blank.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV> UPDATES TO TEMPLATES</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV> ARIN shall include the auth-type field in request templates as</DIV><DIV> necessary to distinguish between cryptographic and mail-from </DIV><DIV> authentication methods.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV> UPDATES TO DOCUMENTATION</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV> ARIN shall update documentation as appropriate, to explain the</DIV><DIV> differences between mail-from, PGP, and X.509 authentication</DIV><DIV> methods.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV> KEY USE IN COMMUNICATION:</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV> ARIN shall accept PGP-signed communications, validate the</DIV><DIV> signature, compare it to the identity of the authorized POCs</DIV><DIV> for records referenced in the correspondence, and act</DIV><DIV> appropriately based upon the validity or invalidity of the</DIV><DIV> signature.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV> ARIN shall PGP-sign all outgoing hostmaster email with the</DIV><DIV> hostmaster role key, and staff members may optionally also </DIV><DIV> sign mail which they originate with their own individual keys.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV> ARIN shall accept PGP-encrypted communications</DIV><DIV> which are encrypted using ARIN's hostmaster public key.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV> ARIN shall not encrypt any outgoing communications, except by</DIV><DIV> explicit mutual prior agreement with the recipient.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV> NON-BINDING RECOMMENDED KEY MANAGEMENT PRACTICES:</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV> It is recommended that ARIN utilize normal POC-verification</DIV><DIV> processes as necessary to accommodate users who lose the</DIV><DIV> private key or passphrase associated with the POCs for their</DIV><DIV> crypt-auth protected resources.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV> It is recommended that ARIN exercise reasonable caution in</DIV><DIV> preventing the proliferation of copies of the hostmaster</DIV><DIV> private key and passphrase.</DIV><DIV> </DIV><DIV> It is recommended that ARIN print out a copy of the private key</DIV><DIV> and passphrase, and secure them in a safe-deposit box outside</DIV><DIV> of ARIN's physical premises, which any two ARIN officers might</DIV><DIV> access in the event that the operating copy of the key is lost</DIV><DIV> or compromised.</DIV><DIV> </DIV><DIV> It is recommended that ARIN publish the hostmaster public key</DIV><DIV> on the ARIN web site, in a manner similar to that of the other</DIV><DIV> RIRs:</DIV><DIV> <A href="http://lacnic.net/hostmaster-pub-key.txt">http://lacnic.net/hostmaster-pub-key.txt</A></DIV><DIV> <A href="https://www.ripe.net/rs/pgp/ncc-pgpkey-2006.asc">https://www.ripe.net/rs/pgp/ncc-pgpkey-2006.asc</A></DIV><DIV> <A href="ftp://ftp.apnic.net/pub/zones/PUBLIC_KEY">ftp://ftp.apnic.net/pub/zones/PUBLIC_KEY</A></DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV> It is recommended that ARIN publish the hostmaster public key</DIV><DIV> by submitting it to common PGP keyservers which, among others,</DIV><DIV> might include:</DIV><DIV> pgp.mit.edu</DIV><DIV> <A href="http://www.pgp.net">www.pgp.net</A></DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV> It is recommended that ARIN attempt to cross-sign the</DIV><DIV> hostmaster PGP keys of the other four RIRs and ICANN.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV> It is recommended that ARIN's hostmaster public key be signed</DIV><DIV> by members of the ARIN board of trustees.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV><B> 8. Rationale:</B></DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV> Globally, PGP is the most commonly used cryptographic</DIV><DIV> authentication method between RIRs and resource recipients who</DIV><DIV> wish to protect their resource registration records against</DIV><DIV> unauthorized modification. The PGP-auth authentication method</DIV><DIV> is supported by RIPE, APNIC, LACNIC, and AfriNIC, and it was</DIV><DIV> historically supported by the InterNIC prior to ARIN's</DIV><DIV> formation. By contrast, current ARIN resource recipients have</DIV><DIV> only two options: "mail-from," which is trivially spoofed and</DIV><DIV> should not be relied upon to protect important database</DIV><DIV> objects, and X.509, which involves a rigorous and lengthy</DIV><DIV> proof-of-identity process and compels use of a compatible MUA,</DIV><DIV> a combination which has dissuaded virtually all of ARIN's</DIV><DIV> constituents.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV> There isn't a lot of work to do here, and certainly nothing</DIV><DIV> tricky. The hostmaster key has existed since InterNIC days, and</DIV><DIV> ARIN staff have verified that the key and passphrase are still</DIV><DIV> known and working fine. This is simple code, which all the</DIV><DIV> other RIRs deployed without a second thought or complaint. If</DIV><DIV> RIPE and APNIC have always done this, the InterNIC did it</DIV><DIV> before ARIN was formed, and LACNIC and AfriNIC took this for</DIV><DIV> granted as a part of their startup process, we see no reason</DIV><DIV> why ARIN should be the only RIR to not offer this most basic of</DIV><DIV> protections to its members.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV> We need to get PGP support reinstated, so that our records can</DIV><DIV> be protected against hijacking and vandalism, and so we won't</DIV><DIV> look like idiots as the only one of the five regions that can't</DIV><DIV> figure this stuff out.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV><SPAN class="Apple-style-span"><B> 9. Timetable for implementation:</B> Immediate</SPAN></DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV><SPAN class="Apple-style-span"><B> 10. Meeting presenter:</B> Bill Woodcock</SPAN></DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>END OF TEMPLATE</DIV><DIV><BR class="khtml-block-placeholder"></DIV></BODY></HTML>