This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/db-wg@ripe.net/
[db-wg] Signature expiration check proposal
- Previous message (by thread): [db-wg] Signature expiration check proposal
- Next message (by thread): [db-wg] mntner creation
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Joao Damas
joao-ripe at c-l-i.net
Mon Jul 25 14:31:44 CEST 2005
excellent idea, I would even propose the allowed time to be shorter, like one day or two (at most) Joao On 21 Jul, 2005, at 14:49, Katie Petrusha wrote: > Dear Colleagues, > > This is a proposal about changes to how the whois database software > checks > PGP and X.509 signatures on incoming updates. > > Currently the software checks that the PGP signature is valid by > using Gnu > Privacy Guard (GnuPG). It verifies X.509 signatures with an OpenSSL > (Secure > Sockets Layer) tool. > > We propose to change the software, so that it also checks the > signature > creation date. If the signature is older than one week, it will be > rejected > and the update will fail. > > This is to prevent replay attacks on database objects. We became > aware of this potential threat when we designed the DNSSEC > provisioning > system. > > -- > Katie Petrusha > RIPE NCC > >
- Previous message (by thread): [db-wg] Signature expiration check proposal
- Next message (by thread): [db-wg] mntner creation
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]