About RIPE NCC | Contact  | Search | Sitemap    
Homepage RIPE NCC  
RIPE Database
     
Next Sectionyou are here: home -> RIPE Database
RIPE Database:
RIPE NCC Navigation Ends
About the RIPE Database
Update RIPE Database
Support Information
DB Document Library
DB Software and Tools
DB Statistics
DB Related projects
*DB Terms and Conditions
Link to routing registry Routing Registry
Link to Resources DB News Archive News Archive
RIPE NCC Navigation Ends
Click here for the RIPE NCC E-Learning Centre
 Next Section

Signature expiration check proposal

This is a proposal about changes to how the whois database software checks PGP and X.509 signatures on incoming updates.

Currently the software checks that the PGP signature is valid by using Gnu Privacy Guard (GnuPG). It verifies X.509 signatures with an OpenSSL (Secure Sockets Layer) tool.

We propose to change the software, so that it also checks the signature creation date. If the signature is older than one week, it will be rejected and the update will fail.

This is to prevent replay attacks on database objects. We became aware of this potential threat when we designed the DNSSEC provisioning system.
 

Next Section
     About RIPE NCC | Service Announcements | Site Map | LIR Portal | About RIPE | Contact | Legal | Copyright Statement
RIPE NCC Homepage Go to the RIPE NCC LIRPortal Go to the RIPE Community pages