This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[db-wg] Update of mntner object with mixed authentication

Previous message (by thread): [db-wg] Update of mntner object with mixed authentication
Next message (by thread): [db-wg] Update of mntner object with mixed authentication

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Denis Walker denis at ripe.net
Wed Jul 18 15:11:01 CEST 2012

Dear Alex,

The current arrangement of hiding MD5 password hashes is based on a 
series of community discussions and two iterations of the 
implementation. Although the consensus is that hiding the hashes is 
beneficial from a security point of view, unfortunately this does result 
in some corner cases that are not easy to resolve. This is an extreme 
example of such a corner case with so many people sharing the use of one 
MNTNER.

Currently there is no simple way for a user with only PGP credentials to 
modify a MNTNER object like this one. Only one of the users with a 
password can query the full object. Wilfried has suggested one work 
around. Bear in mind that these corner cases only occur when there is a 
mixture of credential options. If all users used either password or PGP 
there is no issue. So another work around in this case could be for the 
PGP users to included a strong password as well. As there are already so 
many passwords in this object, perhaps this would not affect the overall 
security level.

The RIPE NCC is currently re-developing the whole of the RIPE Database 
update software. As part of this process the RIPE NCC would like to put 
a proposal to the community for additional authentication options 
including an extension to the RIPE NCC Single Sign On service (SSO) to 
cover authentication of updates to the RIPE Database. This could provide 
a long term solution to the MNTNER problem.

We are still in the early stages of this re-development, which we expect 
to last for a few months. So we don't yet have the full details of 
additional authentication options. But when we do we will submit it to 
the community for consideration. The RIPE NCC is also always open to 
suggestions from the community for solutions to known problems.

Regards,
Denis Walker
Business Analyst
RIPE NCC Database Group

On 18/07/2012 13:04, Anders Mundt Due wrote:
>>
>> I'm trying to update the "shared" 6to4 anycast-relay maintainer object
>> RFC3068-MNT.  My own authentication for the object is PGP.  But how
>> the heck do I get a full copy of the object including the other
>> people's MD5 hashes if I don't have a password myself?
>>
>
> I don't see a way of doing that as it is, you can't use PGP to authenticate a request for an object, so either, everybody have to remove their passwords from the RFC3068-MNT or all those that want to be able to update it need to keep a password in.
>
> (Until this gets better I'm reluctantly keeping a password there)
>
> /Anders
>

Previous message (by thread): [db-wg] Update of mntner object with mixed authentication
Next message (by thread): [db-wg] Update of mntner object with mixed authentication

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ db-wg Archives ]