This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/db-wg@ripe.net/
[db-wg] Proposal for restricting authentication concerning use of revoked and expired GPG ID's in key-cert objects
- Previous message (by thread): [db-wg] Whois Release 1.93
- Next message (by thread): [db-wg] Proposal for restricting authentication concerning use of revoked and expired GPG ID's in key-cert objects
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Edward Shryane
eshryane at ripe.net
Mon Feb 11 15:55:45 CET 2019
Dear Working Group, to follow up on this discussion, the upcoming Whois 1.93 release will implement the following changes: - Updates signed with an expired PGP key or X509 certificate will now FAIL (currently a warning is generated). - Updates will FAIL one hour after they are signed, and also updates signed more than one hour in the future. - Updates to key-cert objects with an Expired or Revoked public key (or certificate) will FAIL. To measure the potential impact of these changes, I reviewed all Whois updates between October - December 2018. - Approximately 4% of all updates are signed with a PGP key or X509 certificate. - 99% of X509 key-cert certificates are expired. I found 5 X509 signed updates with an expired key. - 16% of PGP key-cert keys are expired. I found 63 PGP signed updates with an expired key. - I found 24 PGP signed updates more than one hour in the past, and none signed in the future. We will notify maintainers of expired key-cert objects separately (by email) of this upcoming change. Regards Ed Shryane RIPE NCC > On 1 Nov 2018, at 15:35, Christoffer Hansen (Lists) via db-wg <db-wg at ripe.net> wrote: > > Dear DB WG, > > It came to my attention the RIPE NCC Database does not do validation of > signed updates. (Other than checking the key is allowed to sign updates > for object(s) in question) > > I got the understanding from writing to DB-WG-Chairs this was a decision > made years back. > > I think is less than optimal from a security perspective an signed > update (with GPG and/or X509 certs) is not validated against (1) when > the update was signed (E.g. signing was done 10 minutes ago) and (2) > that the expiration date for the keys are not validated. > > Usually I will expect if I revoke a GPG-key|X509-cert. It cannot be used > any more. But the RIPE NCC Database does still allow this currently. > This is relevant in the case I ever lose a private GPG-key|X509-cert to > less than friendly 3rd-parties. And the lost private GPG-key|X509-cert > is the one used for signing updates to the database. > > What I have in mind. Is the RIPE NCC Database begins verifying validity > (not revoked and/or expired) of GPG-key|X509-cert used to sign updates with. > > Christoffer >
- Previous message (by thread): [db-wg] Whois Release 1.93
- Next message (by thread): [db-wg] Proposal for restricting authentication concerning use of revoked and expired GPG ID's in key-cert objects
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]