This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/db-wg@ripe.net/
[db-wg] MD5s of the RIPE database, Deprecation of MD5 and safe authentication methods
- Previous message (by thread): [db-wg] MD5s of the RIPE database, Deprecation of MD5 and safe authentication methods
- Next message (by thread): [db-wg] MD5s of the RIPE database, Deprecation of MD5 and safe authentication methods
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Christiaan Ottow
chris at 6core.net
Wed May 6 08:49:25 CEST 2015
Hi Pierre, On 05/05/15 23:20, Pierre Kim wrote: > Dear Chris, > > My email was intended to propose having a safer authentication method. > > I was hoping that RIPE will either : > - force users to change their passwords. After 4 years and the RIPE > recommendation, 27.000 hashes are still being used on a total of > 36.000 without update. Only 25% of the hashes have been updated. > - deprecate MD5 in profit of stronger authentication methods. > > Having 75% of valid hashes in the nature is a concern, I think. Any > security researcher who downloaded all the hashes could misuse this > information. I agree that having these hashes out there is a concern, and that it would be good if the MD5-crypt authentication method were disabled. However, that is a policy decision with quite some impact, and I don't think one person should be forcing the RIPE community to do so by threatening to disclose the entire list of hashes. In common practice of responsible disclosure for software vulnerabilities, it is completely unaccepted to not only disclose the vuln but also dump the database, and here we're not even talking about a simple software vuln but about a policy change that affects many stakeholders. I'm speaking only on behalf of myself as a member of the RIPE community, but I'd like to continue this meaningful discussion without a proverbial knife to anyone's throat. -- chris -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 891 bytes Desc: OpenPGP digital signature URL: </ripe/mail/archives/db-wg/attachments/20150506/558f0822/attachment.sig>
- Previous message (by thread): [db-wg] MD5s of the RIPE database, Deprecation of MD5 and safe authentication methods
- Next message (by thread): [db-wg] MD5s of the RIPE database, Deprecation of MD5 and safe authentication methods
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]