This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[db-wg] Proposal for restricting authentication concerning use of revoked and expired GPG ID's in key-cert objects

Previous message (by thread): [db-wg] Proposal for restricting authentication concerning use of revoked and expired GPG ID's in key-cert objects
Next message (by thread): [db-wg] Proposal for restricting authentication concerning use of revoked and expired GPG ID's in key-cert objects

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Edward Shryane eshryane at ripe.net
Mon Nov 5 16:12:10 CET 2018

Hi Christoffer, DB WG,

> On 1 Nov 2018, at 15:35, Christoffer Hansen (Lists) via db-wg <db-wg at ripe.net> wrote:
> 
> Dear DB WG,
> 
> It came to my attention the RIPE NCC Database does not do validation of
> signed updates. (Other than checking the key is allowed to sign updates
> for object(s) in question)
> 

The RIPE database validates a signed update message against any PGP or X509 key(s) associated with the maintainer(s) of the object.

The database will WARN on update if the key-cert (containing a public key or certificate) is expired, and will FAIL the update if the key-cert is revoked.

> I got the understanding from writing to DB-WG-Chairs this was a decision
> made years back.
> 

This has been the behaviour at least since the re-implementation in 2012, we retained the existing behaviour for compatibility.

> I think is less than optimal from a security perspective an signed
> update (with GPG and/or X509 certs) is not validated against (1) when
> the update was signed (E.g. signing was done 10 minutes ago) and (2)
> that the expiration date for the keys are not validated.
> 

The RIPE database does validate key expiry but only adds a warning to the response. Should the RIPE database refuse to apply updates signed with an expired key?

Should the RIPE database refuse to apply updates that were signed more than 'n' minutes ago (or in the future) ?

> Usually I will expect if I revoke a GPG-key|X509-cert. It cannot be used
> any more. But the RIPE NCC Database does still allow this currently.
> This is relevant in the case I ever lose a private GPG-key|X509-cert to
> less than friendly 3rd-parties. And the lost private GPG-key|X509-cert
> is the one used for signing updates to the database.

Revoked keys indeed cannot be used any more. To revoke a key, you will need to update the existing key-cert object with the revoked version. You can also delete the key-cert object.

Is it enough to update or delete a revoked key? Should the RIPE database process key revocation certificates?

> 
> What I have in mind. Is the RIPE NCC Database begins verifying validity
> (not revoked and/or expired) of GPG-key|X509-cert used to sign updates with.
> 
> Christoffer
> 

Regards
Ed Shryane
RIPE NCC

Previous message (by thread): [db-wg] Proposal for restricting authentication concerning use of revoked and expired GPG ID's in key-cert objects
Next message (by thread): [db-wg] Proposal for restricting authentication concerning use of revoked and expired GPG ID's in key-cert objects

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ db-wg Archives ]