[db-wg] numbered work item suggestion: support PGP authentication with whois-api

On Wed, Nov 02, 2016 at 01:20:05PM +0100, Thomas von Dein wrote:
> > over a more modern API approach like Oauth2? 
> 
> Well, "modern" is tomorrow's crab. So, be it Oauth2 or something else as
> long as it's secure, understandable, reliable and consistent.

Ok, since there are no responses, let me explain the comment more
detailed. As far as I know, RIPE doesn't provide Oauth based login for
API access yet, only password based authentication.

We cannot use this, since we don't have a password set on our maintainer
object and we don't intend to change this.

PGP based authentication on the other hand is already implemented
elsewhere with RIPE (autodbm), hence the suggestion to use it in the
REST API as well.

One more thing about Oauth: you'd need an external provider for
authentication forwarding. Which? And why shall I introduce another
entity into the process? Also, building our own provider just for
updating objects doesn't make any sense.

Also, it's insecure [1], at least as it's implemented currently on most
sites. So, the easiest way to implement this would be (for example) to
introduce a query parameter 'signature' which contains a base64-encoded
PGP signature of the current POST-data, which could be verified by the
backend. Or something like this.



best regards,
Tom



1)
http://insanecoding.blogspot.de/2016/04/oauth-why-it-doesnt-work-and-how-to-zero-day-attack.html


--
Thomas von Dein <admins at f-i-ts.net>
Finanz Informatik Technologie Service GmbH & Co. KG, OE 76052
Tel:089/94511-8833, Fax:089/94511-8941, http://www.f-i-ts.net