[db-wg] Filtering auth: attributes in the whois server

Hi Håvard, All,

>      In the whois server, if a maintainer object *only* contains
>      auth: lines using currently deemed to be secure methods
>      (currently PGP or X.509), then reveal all the auth: lines to
>      the whois client.  Otherwise, if the maintainer object
>      contains one or more lower-security auth: attribute
>      (currently MD5-based passwords), filter out *all* the auth:
>      attributes.

I would like to see this implemented, as it involves the least amount
of disruption to our existing practices. Indeed, when I first read the
documentation of the change, I thought this was in fact how the RIPE-NCC
had planned to implement it, but I a closer reading when experience
seemed to show otherwise proved me wrong.

There is one minor drawback with it, which I feel I could live with (as
I don't have any MD5 hashs that I know of to worry about). The change
would make it possible to identify mntner objects that have weak MD5
protection, by excluding any that show any auth: attributes. If the actual
hash is not disclosed though, I think the risk is minimal for the gain.

Best regards,
Brian.
-- 
Brian Boyle, Network Services Manager
HEAnet Limited, Ireland's Education and Research Network
1st Floor, 5 George's Dock, IFSC, Dublin 1
Registered in Ireland, no 275301  tel: +353-1-660 9040  fax: +353-1-660 3666
web: http://www.heanet.ie/