This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/ncc-services-wg@ripe.net/
[ncc-services-wg] Re: [db-wg] X.509 authentication in the RIPE Database, take II
- Previous message (by thread): [ncc-services-wg] X.509 authentication in the RIPE Database, take II
- Next message (by thread): [ncc-services-wg] Re: [db-wg] X.509 authentication in the RIPE Database, take II
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Joao Luis Silva Damas
joao at psg.com
Fri Aug 15 15:24:41 CEST 2003
Shane, adding a new strong authentication method to the Database, is in my own personal opinion, a good thing(tm), particularly if the same credential can be used for other interactions with the RIPE NCC, make user's life easier. I wonder however about a few questions: - will this auth method be available only to RIPE NCC members? Is it not seen as a valuable general addition for non-member users of the IRR part of the RIPE DB? - Why the choice of not publishing the pulic part of the certificated in the DB? The choice to have a key-cert for the PGP method was not to do with issues of web of trust but rather for purposes of helping the users with their data maintenance. As a matter of fact the recommendation regarding the use of PGP in the RIPE DB, as described in the RFC and the minutes of the DBSEC TF, was to use a PGP key for this purpose that was not used elsewhere. - will the RIPE NCC make avaiable, at the time of implementation, documentation to guide use of this feature by users with a couple of the most popular clients? Thanks for the good work, Joao Damas On Thursday, August 14, 2003, at 06:24 PM, Shane Kerr wrote: > All, > > [Apologies for duplicate e-mails] > > Attached please find a proposal for X.509 authentication in the RIPE > Database. From the Database point of view (that is, syntax and > semantics), it is the same as the one sent 3 July 2003. The > difference is that it contains only the specific details of the > change, in a straightforward fashion. > > I hope that we have addressed questions about the use of X.509 that > arose in earlier discussions. > > -- > Shane Kerr > RIPE NCC > Addition of X.509 authentication to the Database > > > Proposal: > > To add an X509 authentication type to the "auth:" attribute. > Attributes with this type will use the Distinguished Name (DN) of the > certificate to identify it. > > > Motivation: > > X.509 allows a single authentication method to work for both e-mail > and the web. LIRs can receive an X.509 certificate through the LIR > Portal, and should be able to use this to update records they control > in the Database. X.509 is "strong", like PGP, although a different > trust model is used. > > > Details: > > The "auth:" attribute of the mntner class will have a new > authentication scheme, X509. The DN, as defined in RFC 2253, will be > used to identify the specific certificate used. > > Note that there is no key-cert object for the X509 scheme. Instead, > the certificate must be signed by a trusted authority. The trusted > authority will be the RIPE NCC Certificate Authority (CA) that is > currently only available to LIRs. It is possible to configure > additional CAs in future, should this become desirable. For instance, > existing commercial CAs could be allowed, or the RIPE NCC could create > a CA to issue certificates to non-LIRs for this purpose only. > > Below is an example of a maintainer with X.509 authentication: > > mntner: EXAMPLE-MNT > descr: Sample maintainer for example. > admin-c: SWK1-RIPE > tech-c: RD132-RIPE > tech-c: HOHO-RIPE > upd-to: ripe-dbm at ripe.net > mnt-nfy: ripe-dbm at ripe.net > auth: X509 C=NL, O=RIPE NCC, OU=Members, CN=zz.example.user1 > auth: X509 C=NL, O=RIPE NCC, OU=Members, CN=zz.example.user2 > notify: ripe-dbm at ripe.net > mnt-by: EXAMPLE-MNT > referral-by: RIPE-DBM-MNT > changed: ripe-dbm at ripe.net 20030813 > source: RIPE > > > Usage: > > E-mail updates for objects maintained by a maintainer with X509 > authentication must be sent in S/MIME format and signed (not > encrypted) using the private key associated with the issued > certificate. > > Synchronous updates for objects maintained by a maintainer with X509 > authentication must use an SSL connection using the private key from > the issued certificate on the client side. > > Web updates for objects maintained by a maintainer with X509 > authentication can use a browser with the certificate loaded. The web > updates screens will allow users to specify that they want to identify > themselves using the client-side private key, over an SSL connection. >
- Previous message (by thread): [ncc-services-wg] X.509 authentication in the RIPE Database, take II
- Next message (by thread): [ncc-services-wg] Re: [db-wg] X.509 authentication in the RIPE Database, take II
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]