Policy Proposal: Documentation of the Mail-From Authentication Method

Wed Oct 25 09:34:48 EDT 2006

ARIN received the following policy proposal. In accordance with the ARIN
Internet Resource Policy Evaluation Process, the proposal is being
posted to the ARIN Public Policy Mailing List (PPML) and being placed on
ARIN's website.

The ARIN Advisory Council (AC) will review this proposal and may decide to:

1. Accept the proposal as a formal policy proposal as it is presented;
2. Work with the author to:
     a) clarify the language or intent of the proposal;
     b) divide the proposal into two (2) or more proposals; or
     c) combine the proposal with other proposals; or, 3. Not accept the
proposal as a formal policy proposal.

This proposal was received within 10 days of the next scheduled meeting
of the ARIN Advisory Council; the review period may be extended to the
regularly scheduled meeting that occurs after the upcoming meeting.

If the AC accepts the proposal or reaches an agreement with the author,
then the proposal will be posted as a formal policy proposal to PPML and
it will be presented at a Public Policy Meeting. If the AC does not
accept the proposal or can not reach an agreement with the author, then
the AC will notify the community of their decision with an explanation;
at that time the author may elect to use the petition process to advance
their proposal. If the author elects not to petition or the petition
fails, then the proposal will be considered closed.

The ARIN Internet Resource Policy Evaluation Process can be found at:
http://www.arin.net/policy/irpep.html

Mailing list subscription information can be found at:
http://www.arin.net/mailing_lists/index.html

Regards,

Member Services
American Registry for Internet Numbers (ARIN)

## * ##

Policy Proposal Name: Documentation of the Mail-From Authentication Method

Authors:
Paul Vixie
Mark Kosters
Chris Morrow
Jared Mauch
Bill Woodcock

Proposal Version: 1

Submission Date: Tuesday, October 24, 2006

Proposal type: New

Policy term: Permanent

Policy statement:

       DELETION FROM THE NRPM

          3.5.1 Mail-From
                This section intentionally left blank.

       ADDITION TO THE NRPM

          3.5.1 Mail-From
                Mail-From is the default authentication method by which
                registration records are protected from vandalism. If a
                registrant fails to designate a more secure method, any
                subsequent email which bears the sender address of an
                authorized Point of Contact may be deemed authentic with
                regard to the registrant's records. Since it is trivial
                to forge a sender address, Mail-From should not be
                regarded as secure. Use of Mail-From authentication is
                not recommended to any registrant who has the means to
                implement either of the more secure cryptographic
                authentication methods.
Rationale:

       This policy complements the previously-proposed "Reinstatement of
       PGP Authentication Method" which introduces section 3.5 to the
       NRPM. Section 3.5 relates the existence of three authentication
       methods. Two of those, mail-from and X.509, were preexisting but
       not documented within the NRPM.

       This policy proposal simply seeks to provide brief documentation
       of the existence of the mail-from authentication method. Because
       the specific wording of the documentation may be subject to
       debate, and is in no way interdependent upon the documentation of
       the other two methods, it is being proposed in a separate policy,
       so that consensus may be more easily reached.

Timetable for implementation: Immediate