Ed,
On 27/05/2019 11.42, Edward Shryane via db-wg wrote:
Dear Working Group,
as mentioned at last week's DB-WG meeting, I'd like to propose extending
authenticating references to other objects.
Currently, only references to organisation objects can be protected with the
mnt-ref attribute.
However, we could extend this protection to other types of objects:
- Abuse-c role
- Technical contact, admin contact, zone contact etc. (person/role)
- Organisation maintainer(s)
Indeed the reason that "mnt-ref:" was chosen as a name instead of
"mnt-org:" or the like was so that it could be general-purpose.
This would prevent unauthorised references to an organisation's objects (e.g.
to impersonate a third party or mis-direct abuse email).
Please let me know your feedback on this proposal.
In principle wider use of "mnt-ref:" makes sense, but I'm not sure
exactly what is being proposed.
If you mean allowing "mnt-ref:" on *specific* PERSON, ROLE, and MNTNER
objects then I think that this is a potential source of confusion, and
needlessly complicates the database. (For example, only PERSON objects
used as a "tech-c:".)
If you mean allowing "mnt-ref:" on *all* PERSON and ROLE objects, then I
support that.
I am unsure if "mnt-ref:" is necessary on MNTNER objects, as I thought
that they already required authentication by the MNTNER object itself to
be referred to anywhere ("mnt-by:", "mnt-lower:", "mnt-domains:", or
"mnt-routes:")? So, isn't "mnt-ref:" already implicit for MNTNER objects?
Also, it's not clear if the proposal includes adding "ref-nfy:" along
with "mnt-ref:". I think that should be included as well.
Cheers,
--
Shane
