This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/db-wg@ripe.net/
[db-wg] NWIs update
- Previous message (by thread): [db-wg] NWIs update
- Next message (by thread): [db-wg] NWIs update
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Tim Bruijnzeels
tim at nlnetlabs.nl
Wed Apr 10 13:14:44 CEST 2019
Hi, auth-sso contains an identifier of an RIPE NCC Access SSO account. Actual details such as the email address and password are not stored in the RIPE DB. To me it would make sense to have a similar approach for API Tokens. Have some identifier that is kept on the MNTNER object, but store the actual sensitive data in a separate system. This would also allow future flexibility regarding which hashing and/or encryption to use. Essentially this would be an implementation detail that the RIPE NCC can look at, but which would not affect the whois as such. Tim > On 10 Apr 2019, at 12:41, Tore Anderson via db-wg <db-wg at ripe.net> wrote: > > * Nick Hilliard via db-wg >> Gert Doering wrote on 10/04/2019 11:08: >>> The attack vector against unsalted hashes is "rainbow tables"... make the >>> API key something like 80 characters long, and no machine in the world >>> can do anything but brute force. >> >> which will work until the DB ends up on https://haveibeenpwned.com/ > > Guys, > > JFYI - https://lirportal.ripe.net/api/ already exists and the API keys it > issues can apparently be used to maintain your RPKI data. > > It doesn't seem to me like adding the possibility for database maintenance > via an API key make things any worse from a security standpoint. > > Tore
- Previous message (by thread): [db-wg] NWIs update
- Next message (by thread): [db-wg] NWIs update
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]