RE: Proof of ownership; when someone demands you remove a prefix

["Sean Pedersen" <spedersen.lists () gmail com>]

In this case we defaulted to trusting our customer and their LOA over a stranger on the Internet and asked our customer 
to review the request. Unfortunately, that doesn't necessarily mean a stranger on the Internet isn't the actual 
assignee. A means to definitively prove "ownership" from a technical angle would be great.

In the example provided in my original e-mail, it appears that an IP broker or related scammer gained access to the 
assignee's RIR account and made some object updates (e-mail, country, etc.) that they could use to "prove" they had 
authority to make the request. I assume their offer of proof would have been to send us an email from the dubious 
@yahoo.com account they had listed as the admin contact. 

I agree with a private response that I received that at some point lawyers probably need to take over if a technical 
solution to verification is not reached. 

I'm not terribly current on resource certification, but would RPKI play a role here? It looks like its application is 
limited to authenticating the announcement of resources to prevent route hijacking. If you've authorized a 3rd party to 
announce your routes, could you assign a certificate to that 3rd party for a specific resource and then revoke it if 
they are no longer authorized? Would it matter if someone gains access to your RIR/LIR account and revokes the 
certificate? This would assume protocol compatibility, that everyone is using it, etc. 

-----Original Message-----
From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of Jason Hellenthal
Sent: Monday, March 12, 2018 6:40 PM
To: George William Herbert <george.herbert () gmail com>
Cc: nanog () nanog org
Subject: Re: Proof of ownership; when someone demands you remove a prefix

How about signed ownership ? (https://keybase.io) if you are able to update the record … and it is able to be signed 
then shouldn’t that be proof enough of ownership of the ASN ?

If you can update a forward DNS record then you can have the reverse record updated in the same sort of fashion and 
signed by a third party to provide first party of authoritative ownership… Assuming you have an assigned ASN and the 
admin has taken the time to let alone understand the concept and properly prove the identity in the first place… (EV 
cert ?)


Just a light opinion from … https://jhackenthal.keybase.pub

Trust is a big issue these days and validation even worse given SSL trust.

-- 

The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume.





> On Mar 12, 2018, at 21:20, George William Herbert <george.herbert () gmail com> wrote:
>
> Ownership?...
>
> (Duck)
>
> -george 
>
> Sent from my iPhone
>
> > On Mar 12, 2018, at 4:11 PM, Randy Bush <randy () psg com> wrote:
> >
> > it's a real shame there is no authorative cryptographically verifyable
> > attestation of address ownership.