[db-wg] Authenticating References to Objects

Ed,

On 27/05/2019 11.42, Edward Shryane via db-wg wrote:
> Dear Working Group,
> 
> as mentioned at last week's DB-WG meeting, I'd like to propose extending authenticating references to other objects.
> 
> Currently, only references to organisation objects can be protected with the mnt-ref attribute.
> 
> However, we could extend this protection to other types of objects:
> 
> - Abuse-c role
> - Technical contact, admin contact, zone contact etc. (person/role)
> - Organisation maintainer(s)

Indeed the reason that "mnt-ref:" was chosen as a name instead of 
"mnt-org:" or the like was so that it could be general-purpose.

> This would prevent unauthorised references to an organisation's objects (e.g. to impersonate a third party or mis-direct abuse email).
> 
> Please let me know your feedback on this proposal.

In principle wider use of "mnt-ref:" makes sense, but I'm not sure 
exactly what is being proposed.

If you mean allowing "mnt-ref:" on *specific* PERSON, ROLE, and MNTNER 
objects then I think that this is a potential source of confusion, and 
needlessly complicates the database. (For example, only PERSON objects 
used as a "tech-c:".)

If you mean allowing "mnt-ref:" on *all* PERSON and ROLE objects, then I 
support that.

I am unsure if "mnt-ref:" is necessary on MNTNER objects, as I thought 
that they already required authentication by the MNTNER object itself to 
be referred to anywhere ("mnt-by:", "mnt-lower:", "mnt-domains:", or 
"mnt-routes:")? So, isn't "mnt-ref:" already implicit for MNTNER objects?

Also, it's not clear if the proposal includes adding "ref-nfy:" along 
with "mnt-ref:". I think that should be included as well.

Cheers,

--
Shane