In this case we defaulted to trusting our customer and their LOA over a 
stranger on the Internet and asked our customer to review the request. 
Unfortunately, that doesn't necessarily mean a stranger on the Internet isn't 
the actual assignee. A means to definitively prove "ownership" from a technical 
angle would be great.

In the example provided in my original e-mail, it appears that an IP broker or 
related scammer gained access to the assignee's RIR account and made some 
object updates (e-mail, country, etc.) that they could use to "prove" they had 
authority to make the request. I assume their offer of proof would have been to 
send us an email from the dubious @yahoo.com account they had listed as the 
admin contact. 

I agree with a private response that I received that at some point lawyers 
probably need to take over if a technical solution to verification is not 
reached. 

I'm not terribly current on resource certification, but would RPKI play a role 
here? It looks like its application is limited to authenticating the 
announcement of resources to prevent route hijacking. If you've authorized a 
3rd party to announce your routes, could you assign a certificate to that 3rd 
party for a specific resource and then revoke it if they are no longer 
authorized? Would it matter if someone gains access to your RIR/LIR account and 
revokes the certificate? This would assume protocol compatibility, that 
everyone is using it, etc. 

-----Original Message-----
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Jason Hellenthal
Sent: Monday, March 12, 2018 6:40 PM
To: George William Herbert <george.herb...@gmail.com>
Cc: nanog@nanog.org
Subject: Re: Proof of ownership; when someone demands you remove a prefix

How about signed ownership ? (https://keybase.io) if you are able to update the 
record … and it is able to be signed then shouldn’t that be proof enough of 
ownership of the ASN ?

If you can update a forward DNS record then you can have the reverse record 
updated in the same sort of fashion and signed by a third party to provide 
first party of authoritative ownership… Assuming you have an assigned ASN and 
the admin has taken the time to let alone understand the concept and properly 
prove the identity in the first place… (EV cert ?)


Just a light opinion from … https://jhackenthal.keybase.pub

Trust is a big issue these days and validation even worse given SSL trust.

-- 

The fact that there's a highway to Hell but only a stairway to Heaven says a 
lot about anticipated traffic volume.





> On Mar 12, 2018, at 21:20, George William Herbert <george.herb...@gmail.com> 
> wrote:
> 
> Ownership?...
> 
> (Duck)
> 
> -george 
> 
> Sent from my iPhone
> 
>> On Mar 12, 2018, at 4:11 PM, Randy Bush <ra...@psg.com> wrote:
>> 
>> it's a real shame there is no authorative cryptographically verifyable
>> attestation of address ownership.


Reply via email to