Re: [sig-policy] prop-037-v001: Deprecation of email updates for APNIC R

To: Randy Bush <randy at psg dot com>
Subject: Re: [sig-policy] prop-037-v001: Deprecation of email updates for APNIC Registry and whois
From: Terry Manderson <terry at apnic dot net>
Date: Wed, 9 Aug 2006 12:16:44 +1000
Cc: sig-policy at apnic dot net, Toshiyuki Hosaka <hosaka at nic dot ad dot jp>
In-reply-to: <17624.45311.607955.83742 at roam dot psg dot com>
List-archive: <http://www.apnic.net/mailing-lists/sig-policy>
List-help: <mailto:sig-policy-request@lists.apnic.net?subject=help>
List-id: APNIC SIG on resource management policy <sig-policy.lists.apnic.net>
List-post: <mailto:sig-policy@lists.apnic.net>
List-subscribe: <http://mailman.apnic.net/mailman/listinfo/sig-policy>, <mailto:sig-policy-request@lists.apnic.net?subject=subscribe>
List-unsubscribe: <http://mailman.apnic.net/mailman/listinfo/sig-policy>, <mailto:sig-policy-request@lists.apnic.net?subject=unsubscribe>
References: <f6ee8e65fa5c725eaf4ab6fa4b813597@psg.com> <db727d4ab6de40c0f94e47810fbdbdd6@apnic.net> <17624.45311.607955.83742@roam.psg.com>

Hi Randy,

On 09/08/2006, at 1:42 AM, Randy Bush wrote:


for those using web, or only for those whose means of access is
limited by choice or circumstances to email?


The comparative complexity is much higher in secure encrypted
email based mechanisms. But you do raise an interesting question,
how many members of APNIC are limited to email for internet
traffic and unable to reach a web page or establish a tcp
connection to port 443 for a REST conversation?

could you explain?  the other registries seem to find pgp email
doable.  is that not sufficient?  is the issue what happens when
you want to go to x.509-based signatures.


The other registries accepting email based updates (Afrinic, RIPE,
and ARIN) certainly do make both pgp and x.509 signed email systems
work now. Although I think it is important to note that at present
they support only signed emails, not encrypted emails. For the
longer term registry model I don't believe it to be sufficient.

i.e. "it will be harder" might gain some sympathy if there was
also a "because ..."


I'm a little worried that we might fall into a trap of focusing on
"ways to make email work" instead of realising that email no longer
fits into the registry model due to the growing need for all
transactions with the APNIC registry to be encrypted and authorised
using strong authentication methods with an immediate feedback cycle.
I think it is worthwhile to also consider the improved workflows
that a XML/REST system provides. I see these workflows as a
prerequisite to the interactions that future registry functions
are going to need. Such future functions that centre around
resource certification.

Further to this is the existing concern that email has proved to
be of varying reliability due to anti-spam implementations and
what I describe as a growing social intolerance of automated mail
flows. I would expect that APNIC's due diligence covers ensuring
that any updates sent to APNIC are received in good order and
replies similarly received by the registrant. Unfortunately we
can't make such guarantees with any form of email.

Terry
--
Terry Manderson                         email:      terry at apnic dot net
Snr Systems & Network Architect, APNIC  sip:    info at voip dot apnic dot net
http://www.apnic.net                    phone:      +61 7 3858 3100