Policy Proposal: Reinstatement of PGP Authentication Method
Member Services
info at arin.net
Wed Oct 25 09:34:37 EDT 2006
ARIN received the following policy proposal. In accordance with the ARIN
Internet Resource Policy Evaluation Process, the proposal is being
posted to the ARIN Public Policy Mailing List (PPML) and being placed on
ARIN's website.
The ARIN Advisory Council (AC) will review this proposal and may decide to:
1. Accept the proposal as a formal policy proposal as it is presented;
2. Work with the author to:
a) clarify the language or intent of the proposal;
b) divide the proposal into two (2) or more proposals; or
c) combine the proposal with other proposals; or, 3. Not accept the
proposal as a formal policy proposal.
This proposal was received within 10 days of the next scheduled meeting
of the ARIN Advisory Council; the review period may be extended to the
regularly scheduled meeting that occurs after the upcoming meeting.
If the AC accepts the proposal or reaches an agreement with the author,
then the proposal will be posted as a formal policy proposal to PPML and
it will be presented at a Public Policy Meeting. If the AC does not
accept the proposal or can not reach an agreement with the author, then
the AC will notify the community of their decision with an explanation;
at that time the author may elect to use the petition process to advance
their proposal. If the author elects not to petition or the petition
fails, then the proposal will be considered closed.
The ARIN Internet Resource Policy Evaluation Process can be found at:
http://www.arin.net/policy/irpep.html
Mailing list subscription information can be found at:
http://www.arin.net/mailing_lists/index.html
Regards,
Member Services
American Registry for Internet Numbers (ARIN)
## * ##
Policy Proposal Name: Reinstatement of PGP Authentication Method
Authors:
Paul Vixie
Mark Kosters
Chris Morrow
Jared Mauch
Bill Woodcock
Submission Date: Tuesday, October 24, 2006
Proposal type: New
Policy term: Permanent
Policy statement:
ADDITION TO NRPM
3.5 Authentication Methods
ARIN supports three authentication methods for
communication with resource recipients.
3.5.1 Mail-From
This section intentionally left blank.
3.5.2 PGP
ARIN accepts PGP-signed email as authentic
communication from authorized Points of Contact. POCs
may denote their records "crypt-auth," subsequent to
which unsigned communications shall not be deemed
authentic with regard to those records.
3.5.3 X.509
This section intentionally left blank.
UPDATES TO TEMPLATES
ARIN shall include the auth-type field in request templates as
necessary to distinguish between cryptographic and mail-from
authentication methods.
UPDATES TO DOCUMENTATION
ARIN shall update documentation as appropriate, to explain the
differences between mail-from, PGP, and X.509 authentication
methods.
KEY USE IN COMMUNICATION:
ARIN shall accept PGP-signed communications, validate the
signature, compare it to the identity of the authorized POCs
for records referenced in the correspondence, and act
appropriately based upon the validity or invalidity of the
signature.
ARIN shall PGP-sign all outgoing hostmaster email with the
hostmaster role key, and staff members may optionally also
sign mail which they originate with their own individual keys.
ARIN shall accept PGP-encrypted communications
which are encrypted using ARIN's hostmaster public key.
ARIN shall not encrypt any outgoing communications, except by
explicit mutual prior agreement with the recipient.
NON-BINDING RECOMMENDED KEY MANAGEMENT PRACTICES:
It is recommended that ARIN utilize normal POC-verification
processes as necessary to accommodate users who lose the
private key or passphrase associated with the POCs for their
crypt-auth protected resources.
It is recommended that ARIN exercise reasonable caution in
preventing the proliferation of copies of the hostmaster
private key and passphrase.
It is recommended that ARIN print out a copy of the private key
and passphrase, and secure them in a safe-deposit box outside
of ARIN's physical premises, which any two ARIN officers might
access in the event that the operating copy of the key is lost
or compromised.
It is recommended that ARIN publish the hostmaster public key
on the ARIN web site, in a manner similar to that of the other
RIRs:
http://lacnic.net/hostmaster-pub-key.txt
https://www.ripe.net/rs/pgp/ncc-pgpkey-2006.asc
ftp://ftp.apnic.net/pub/zones/PUBLIC_KEY
It is recommended that ARIN publish the hostmaster public key
by submitting it to common PGP keyservers which, among others,
might include:
pgp.mit.edu
www.pgp.net
It is recommended that ARIN attempt to cross-sign the
hostmaster PGP keys of the other four RIRs and ICANN.
It is recommended that ARIN's hostmaster public key be signed
by members of the ARIN board of trustees.
Rationale:
Globally, PGP is the most commonly used cryptographic
authentication method between RIRs and resource recipients who
wish to protect their resource registration records against
unauthorized modification. The PGP-auth authentication method
is supported by RIPE, APNIC, LACNIC, and AfriNIC, and it was
historically supported by the InterNIC prior to ARIN's
formation. By contrast, current ARIN resource recipients have
only two options: "mail-from," which is trivially spoofed and
should not be relied upon to protect important database
objects, and X.509, which involves a rigorous and lengthy
proof-of-identity process and compels use of a compatible MUA,
a combination which has dissuaded virtually all of ARIN's
constituents.
There isn't a lot of work to do here, and certainly nothing
tricky. The hostmaster key has existed since InterNIC days, and
ARIN staff have verified that the key and passphrase are still
known and working fine. This is simple code, which all the
other RIRs deployed without a second thought or complaint. If
RIPE and APNIC have always done this, the InterNIC did it
before ARIN was formed, and LACNIC and AfriNIC took this for
granted as a part of their startup process, we see no reason
why ARIN should be the only RIR to not offer this most basic of
protections to its members.
We need to get PGP support reinstated, so that our records can
be protected against hijacking and vandalism, and so we won't
look like idiots as the only one of the five regions that can't
figure this stuff out.
Timetable for implementation: Immediate
More information about the Info
mailing list