[db-wg] Proposal to deprecate CRYPT-PW authorisation in the RIPE Database

Wilfried Woeber, UniVie/ACOnet wrote:
> Max Tulyev wrote:
>
>   
>> Hi Katie!
>>
>> Why not just to hide encrypted password from public view (as it done
>> with e-mails)?
>>     
>
> Even that is a bad hack which I resent, but eventually I gave in. We had
> done a similar thing in the past, with a different attribute, and we had to
> roll back.
>
> And we would have to invent just another flag to undo the hiding. This cannot
> be kept secret for long, so what?
> 	(Not doing that would actually require "everyone" to keep a *local*
> 	 copy of the hash on backup for inclusion in the next update.
> 	 That's asking for chaos :-( )
>
>   

    The IRRd software returns the special token "HIDDENCRYPTPW" for the 
CRYPT-PW value.
Note this is 13 characters long and thus a legal CRYPT-PW value.   If an 
update is submitted with
this value, the existing CRYPT-PW is left in place.   There is a very 
small chance of a collision with
an actual password, but the probability is deemed to be too low to be of 
concern for this application.
Things can get a bit tricky if one has multiple CRYPT-PW passwords.  I 
can go over the algorithm
used by IRRd in such cases if anyone cares.


   -Larry Blunk
    Merit Network