This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/db-wg@ripe.net/
[db-wg] Signature expiration check proposal
- Previous message (by thread): [db-wg] Announcement Routing Registry Training Courses
- Next message (by thread): [db-wg] Signature expiration check proposal
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Katie Petrusha
katie at ripe.net
Thu Jul 21 14:49:34 CEST 2005
Dear Colleagues, This is a proposal about changes to how the whois database software checks PGP and X.509 signatures on incoming updates. Currently the software checks that the PGP signature is valid by using Gnu Privacy Guard (GnuPG). It verifies X.509 signatures with an OpenSSL (Secure Sockets Layer) tool. We propose to change the software, so that it also checks the signature creation date. If the signature is older than one week, it will be rejected and the update will fail. This is to prevent replay attacks on database objects. We became aware of this potential threat when we designed the DNSSEC provisioning system. -- Katie Petrusha RIPE NCC
- Previous message (by thread): [db-wg] Announcement Routing Registry Training Courses
- Next message (by thread): [db-wg] Signature expiration check proposal
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]