Ed, On 27/05/2019 11.42, Edward Shryane via db-wg wrote:
Dear Working Group,
as mentioned at last week's DB-WG meeting, I'd like to propose extending authenticating references to other objects.
Currently, only references to organisation objects can be protected with the mnt-ref attribute.
However, we could extend this protection to other types of objects:
- Abuse-c role - Technical contact, admin contact, zone contact etc. (person/role) - Organisation maintainer(s)
Indeed the reason that "mnt-ref:" was chosen as a name instead of "mnt-org:" or the like was so that it could be general-purpose.
This would prevent unauthorised references to an organisation's objects (e.g. to impersonate a third party or mis-direct abuse email).
Please let me know your feedback on this proposal.
In principle wider use of "mnt-ref:" makes sense, but I'm not sure exactly what is being proposed. If you mean allowing "mnt-ref:" on *specific* PERSON, ROLE, and MNTNER objects then I think that this is a potential source of confusion, and needlessly complicates the database. (For example, only PERSON objects used as a "tech-c:".) If you mean allowing "mnt-ref:" on *all* PERSON and ROLE objects, then I support that. I am unsure if "mnt-ref:" is necessary on MNTNER objects, as I thought that they already required authentication by the MNTNER object itself to be referred to anywhere ("mnt-by:", "mnt-lower:", "mnt-domains:", or "mnt-routes:")? So, isn't "mnt-ref:" already implicit for MNTNER objects? Also, it's not clear if the proposal includes adding "ref-nfy:" along with "mnt-ref:". I think that should be included as well. Cheers, -- Shane