Orbit

Hi Randy,

On 09/08/2006, at 1:42 AM, Randy Bush wrote:

for those using web, or only for those whose means of access is limited by choice or circumstances to email?

The comparative complexity is much higher in secure encrypted email based mechanisms. But you do raise an interesting question, how many members of APNIC are limited to email for internet traffic and unable to reach a web page or establish a tcp connection to port 443 for a REST conversation?

could you explain? the other registries seem to find pgp email doable. is that not sufficient? is the issue what happens when you want to go to x.509-based signatures.

The other registries accepting email based updates (Afrinic, RIPE, and ARIN) certainly do make both pgp and x.509 signed email systems work now. Although I think it is important to note that at present they support only signed emails, not encrypted emails. For the longer term registry model I don't believe it to be sufficient.

i.e. "it will be harder" might gain some sympathy if there was also a "because ..."

I'm a little worried that we might fall into a trap of focusing on "ways to make email work" instead of realising that email no longer fits into the registry model due to the growing need for all transactions with the APNIC registry to be encrypted and authorised using strong authentication methods with an immediate feedback cycle. I think it is worthwhile to also consider the improved workflows that a XML/REST system provides. I see these workflows as a prerequisite to the interactions that future registry functions are going to need. Such future functions that centre around resource certification.

Further to this is the existing concern that email has proved to be of varying reliability due to anti-spam implementations and what I describe as a growing social intolerance of automated mail flows. I would expect that APNIC's due diligence covers ensuring that any updates sent to APNIC are received in good order and replies similarly received by the registrant. Unfortunately we can't make such guarantees with any form of email.

Terry -- Terry Manderson email: terry@apnic.net Snr Systems & Network Architect, APNIC sip: info@voip.apnic.net http://www.apnic.net phone: +61 7 3858 3100

Hi Randy,

On 09/08/2006, at 5:46 PM, Randy Bush wrote:

and other than the 'immediate' for which i am not sure i see the absolute need, why is encrypted and signed email satisfactory?

I assume you mean "isn't satisfactory" ;-)

An interactive session, either via atomic REST update or web gui, provides the registrant with a completed transaction conversation in a single session. It provides both the member and the secretariat confirmation that each party received acknowledgement of any modification to data. This is something that I don't believe can be done using email as we know it.

There are also cost considerations here, setting aside what might be technically achievable. APNIC has a successful secured interface in MyAPNIC and it seems to be wasteful of member funds to create a second disparate system to match the same features of MyAPNIC via email, instead of simply extending MyAPNIC to provide member usable and modifiable command line tools that talk XML/REST/HTTPS.

Cheers, Terry -- Terry Manderson email: terry@apnic.net Snr Systems & Network Architect, APNIC sip: info@voip.apnic.net http://www.apnic.net phone: +61 7 3858 3100