This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/db-wg@ripe.net/
[db-wg] call for application authorisation ideas
- Previous message (by thread): [db-wg] Updating maintainer objects with filtered auth lines
- Next message (by thread): [db-wg] call for application authorisation ideas
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Job Snijders
job at ntt.net
Thu Aug 20 14:40:43 CEST 2015
Hi group, I know all of you have automated their interactions with the RIPE database entirely. :-) As it currently stands, there are two ways to automate interaction with the RIPE DB: a) send GPG signed emails (and wait for the dumb greylisting to clear) b) call the http://rest.db.ripe.net/{source}/{objecttype}/{key}?password=XXX restful API Option A works, but is not very nice if you want something done immediatly and require a confirmation that the operation succeeded. The advantage of option A is that you don't need any auth: MD5-PW lines in your mntner object and RIPE stores no sensitive data. Option B goes very well with modern programming paradigms, but the disadvantage is that you need to have an "auth: MD5-PW XXX" line in your maintainer, and should that pass ever leak somehow it could be used through webupdates / email / api, from any location. I think all in the group agree that it would be very nice if you can perform 100% of all operations without the need for any MD5-PW. I'll even go as far as stating that we should not be looking at successors such as SHA3-PW, let's leap forward and make the PW auth concept entirely obsolete. :-) CALL FOR IDEAS ============== Now that personalised authorisation is covered and in progress, what about our poor applications? How should they authenticate with the RIPE DB? I see value in stuff like signalling to RIPE "this token can only be used for the API from this source IP address", I've also heard that OAUTH2 is magic and populair for app2app auth. Or maybe all of this is is overkill and we just need to GPG sign the payload of the requests to rest.db.ripe.net and call it a day? DB-WG, please speak up and voice your ideas! Kind regards, Job
- Previous message (by thread): [db-wg] Updating maintainer objects with filtered auth lines
- Next message (by thread): [db-wg] call for application authorisation ideas
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]