FW: [db-wg] Proposal to deprecate CRYPT-PW authorisation in the RIPE Database

Hi,

(I'm adding db-wg at ripe.net back into the CC: list)

On Thu, Oct 05, 2006 at 01:50:09PM +0400, Potapov Vladislav wrote:
> > From: Gert Doering [mailto:gert at space.net] 
> > Changing from CRYPT-PW to MD5-PW doesn't incur any 
> > operational changes, and doesn't require key management and 
> > crypto of any sort, but *will* improve security.
> No "operational changes"? 

In the day-to-day operation ("sending in mails to change objects to the 
RIPE DB") going from CRYPT-PW to MD5-PW *will* *not* *change* *anything*.

The mail will still contain a "password: <something>" block, just the
way this password is hashed in the maintainer object is different.

> Let's look at the plan to get an image that it's not so "problemless". 

So where exactly *do* you see "problems"?

In your mail you speak about "crypto" - which is NOT involved here
(except hashing the password) - this proposal is not forcing anybody
to go to PGP, just to a different password storing scheme.

> I don't speak about RIPE resources which
> should support this change.
> About security: there was several opponents of your view already. I'm
> adding myself to them.

Please get a reality check on what is proposed, and what is proposed as
replacement.

> > From: Gert Doering [mailto:gert at space.net] 
> > Security issues in the IRR DB impact all of us (like "fake objects, 
> > use that to leverage a routing attack").
> Let's not say fairy tales about that. I have asked about REAL LIFE
> problems with the scheme. Nobody has answered.

*Good* security is fixing problems *before* they happen.

Like "lock your front door when you leave your house, even if you
have never been burglared yet".

Gert Doering
        -- NetMaster
-- 
Total number of prefixes smaller than registry allocations:  98999

SpaceNet AG                    Mail: netmaster at Space.Net
Joseph-Dollinger-Bogen 14      Tel : +49-89-32356-0
D- 80807 Muenchen              Fax : +49-89-32356-234