This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/db-wg@ripe.net/
[db-wg] Proposal for restricting authentication concerning use of revoked and expired GPG ID's in key-cert objects
- Next message (by thread): [db-wg] Idea: magic mntner for all LIR contacts
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Christoffer Hansen
christoffer at netravnen.de
Sat Dec 1 17:00:46 CET 2018
On 05/11/2018 17:56, Gert Doering wrote: > On Mon, Nov 05, 2018 at 04:12:10PM +0100, Edward Shryane via db-wg wrote: >> Is it enough to update or delete a revoked key? Should the RIPE database process key revocation certificates? > > One of the problems here is that the RIPE DB cannot reliably know if > a GPG key is revoked, unless it is *told*. > > "Telling it" can be done nicely by removing the key-cert object - otherwiese > it would need to poll key-servers and hope for a key revocation to appear > there. I suggest just removing the key-cert object. Instead of updating the key-cert object with a revoked version. > A catch-22 arises if the key-cert object needs a signed update with that > very key to be deleted... I would not use this approach of requiring a signed update to remove the key. If an authenticated SSO account is signed into the RIPE NCC website and tries to remove a key-cert object the DB. This should be allowed. -- Christoffer Hansen -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: OpenPGP digital signature URL: </ripe/mail/archives/db-wg/attachments/20181201/34e90939/attachment.sig>
- Next message (by thread): [db-wg] Idea: magic mntner for all LIR contacts
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]