[db-wg] Disallowing MD5 passwords in e-mail updates, was MD5 Hashes in the database

Dear colleague,

Since any change in the current process means significantly changing the behaviour of the RIPE Database* and will break existing use cases of the system, it is not something the RIPE NCC can make a decision on. 
The change should come from and get approved by the community and the RIPE NCC can then implement it. Obviously we as RIPE NCC can suggest technical solutions -and that's why we have brought up the issue on different occasions- but still, agreeing on and implementing them will require community's consensus.

In the mean time we are publishing an article on RIPE Labs outlining the current situation and highlighting the problem statement as well as guidelines for mitigating the risk until a full solution is found. 
We are also adding a password strength indicator to the online MD5 hash generator as an additional measure.

Kind Regards,
Kaveh Ranjbar,
RIPE Database Group Manager

*- As an example, current Update process requires the full object -including the hashes for maintainer objects- to be used in the update message.

    
On Nov 8, 2011, at 3:01 PM, virtu virtualabs wrote:

> That would mean RIPE NCC did not do anything while people has been aware of this fact since 2 years ?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </ripe/mail/archives/db-wg/attachments/20111108/f1e10fac/attachment.html>