Re: [ncc-services-wg] Improved Secure Communication forRegistration Services (RS) Mailboxes

[Måns Nilsson KTHNOC <]

--On Wednesday, February 25, 2004 18:03:04 +0100 Shane Kerr
shane@localhost wrote:


> Any technology for securing e-mail restricts client choice.  Among the
> e-mail clients that members use, there is superior "out of the box"
> support for X.509 than PGP.  I say this based on the research that we did
> in response to concerns about S/MIME compatibility.

Please elaborate, because I have a hard time to find an email client not
supporting an ASCII-armored PGP message, but there are tons of them
frowning on x.509 attachments. Some of us actually do the equivalent of:

$EDITOR ripe-template.txt
gpg --clearsign ripe-template.txt | /bin/mail somebody@localhost

for our RIPE communications. 

> As others have noted, we can support both X.509 and PGP.  We can also
> support *only* PGP, although I think because of #2, above, this is not a
> good solution.

I would argue that it is the other way around; given the forced choice of
"only one" the broadest support exists for PGP. 

> Although the basic question of "do we need this at all" still seems open
> to me.  In some ways, security is like insurance: it is only a problem if
> you don't have it after you should have.
> 
> Ignoring the "PGP versus X.509" question, does the membership want us to
> support signed e-mail at all?  What about encrypted e-mail?

Given the mess an evil person can do by creatively adjusting records in the
routing database, I suggest that RIRen must actively promote the use of
technologies that protect our infrastructure; thus, signing should be more
or less mandatory, and encryption should be available for secure
out-of-band communications -- this then more human-to-human, to solve
strange issues, send sensitive data, and so forth. 

rgds, 
-- 
Måns Nilsson            Systems Specialist
+46 70 681 7204         KTHNOC
                        MN1334-RIPE

Attachment: pgp00003.pgp
Description: PGP signature