This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[db-wg] Proposal for restricting authentication concerning use of revoked and expired GPG ID's in key-cert objects

Previous message (by thread): [db-wg] Proposal for restricting authentication concerning use of revoked and expired GPG ID's in key-cert objects
Next message (by thread): [db-wg] Policies and Guidelines for Assignments for Network Infrastructure and End User Networks

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Gert Doering gert at space.net
Mon Nov 5 17:56:31 CET 2018

Hi,

On Mon, Nov 05, 2018 at 04:12:10PM +0100, Edward Shryane via db-wg wrote:
> Should the RIPE database refuse to apply updates that were signed more than 'n' minutes ago (or in the future) ?

I think this would be a valuable improvement.

> > Usually I will expect if I revoke a GPG-key|X509-cert. It cannot be used
> > any more. But the RIPE NCC Database does still allow this currently.
> > This is relevant in the case I ever lose a private GPG-key|X509-cert to
> > less than friendly 3rd-parties. And the lost private GPG-key|X509-cert
> > is the one used for signing updates to the database.
> 
> Revoked keys indeed cannot be used any more. To revoke a key, you will need to update the existing key-cert object with the revoked version. You can also delete the key-cert object.
> 
> Is it enough to update or delete a revoked key? Should the RIPE database process key revocation certificates?

One of the problems here is that the RIPE DB cannot reliably know if
a GPG key is revoked, unless it is *told*.

"Telling it" can be done nicely by removing the key-cert object - otherwiese
it would need to poll key-servers and hope for a key revocation to appear
there.

A catch-22 arises if the key-cert object needs a signed update with that
very key to be deleted...

(Not providing solutions, just bringing up aspects to consider)

Gert Doering
        -- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG                      Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14        Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                 HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444         USt-IdNr.: DE813185279
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: </ripe/mail/archives/db-wg/attachments/20181105/36f5a9d3/attachment.sig>

Previous message (by thread): [db-wg] Proposal for restricting authentication concerning use of revoked and expired GPG ID's in key-cert objects
Next message (by thread): [db-wg] Policies and Guidelines for Assignments for Network Infrastructure and End User Networks

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ db-wg Archives ]