This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/db-wg@ripe.net/
[db-wg] numbered work item suggestion: support PGP authentication with whois-api
- Previous message (by thread): [db-wg] numbered work item suggestion: support PGP authentication with whois-api
- Next message (by thread): [db-wg] numbered work item suggestion: support PGP authentication with whois-api
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Thomas von Dein
tom at izb.net
Thu Nov 3 13:37:28 CET 2016
On Wed, Nov 02, 2016 at 01:20:05PM +0100, Thomas von Dein wrote: > > over a more modern API approach like Oauth2? > > Well, "modern" is tomorrow's crab. So, be it Oauth2 or something else as > long as it's secure, understandable, reliable and consistent. Ok, since there are no responses, let me explain the comment more detailed. As far as I know, RIPE doesn't provide Oauth based login for API access yet, only password based authentication. We cannot use this, since we don't have a password set on our maintainer object and we don't intend to change this. PGP based authentication on the other hand is already implemented elsewhere with RIPE (autodbm), hence the suggestion to use it in the REST API as well. One more thing about Oauth: you'd need an external provider for authentication forwarding. Which? And why shall I introduce another entity into the process? Also, building our own provider just for updating objects doesn't make any sense. Also, it's insecure [1], at least as it's implemented currently on most sites. So, the easiest way to implement this would be (for example) to introduce a query parameter 'signature' which contains a base64-encoded PGP signature of the current POST-data, which could be verified by the backend. Or something like this. best regards, Tom 1) http://insanecoding.blogspot.de/2016/04/oauth-why-it-doesnt-work-and-how-to-zero-day-attack.html -- Thomas von Dein <admins at f-i-ts.net> Finanz Informatik Technologie Service GmbH & Co. KG, OE 76052 Tel:089/94511-8833, Fax:089/94511-8941, http://www.f-i-ts.net
- Previous message (by thread): [db-wg] numbered work item suggestion: support PGP authentication with whois-api
- Next message (by thread): [db-wg] numbered work item suggestion: support PGP authentication with whois-api
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]