[db-wg] Update of mntner object with mixed authentication
- Previous message (by thread): [db-wg] Update of mntner object with mixed authentication
- Next message (by thread): [db-wg] Update of mntner object with mixed authentication
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Alexander Gall
gall at switch.ch
Wed Jul 18 16:01:30 CEST 2012
Hi Denis On Wed, 18 Jul 2012 15:11:01 +0200, Denis Walker <denis at ripe.net> said: > The current arrangement of hiding MD5 password hashes is based on a > series of community discussions and two iterations of the > implementation. Although the consensus is that hiding the hashes is > beneficial from a security point of view, unfortunately this does result > in some corner cases that are not easy to resolve. This is an extreme > example of such a corner case with so many people sharing the use of one > MNTNER. > Currently there is no simple way for a user with only PGP credentials to > modify a MNTNER object like this one. Only one of the users with a > password can query the full object. Wilfried has suggested one work > around. Bear in mind that these corner cases only occur when there is a > mixture of credential options. If all users used either password or PGP > there is no issue. So another work around in this case could be for the > PGP users to included a strong password as well. As there are already so > many passwords in this object, perhaps this would not affect the overall > security level. Yes, that's the path I've taken. > The RIPE NCC is currently re-developing the whole of the RIPE Database > update software. As part of this process the RIPE NCC would like to put > a proposal to the community for additional authentication options > including an extension to the RIPE NCC Single Sign On service (SSO) to > cover authentication of updates to the RIPE Database. This could provide > a long term solution to the MNTNER problem. > We are still in the early stages of this re-development, which we expect > to last for a few months. So we don't yet have the full details of > additional authentication options. But when we do we will submit it to > the community for consideration. The RIPE NCC is also always open to > suggestions from the community for solutions to known problems. For the case at hand, it would be enough to have a method to authenticate *queries* for mntner objects with any of the valid methods for updates (not just passwords). Regards, Alex
- Previous message (by thread): [db-wg] Update of mntner object with mixed authentication
- Next message (by thread): [db-wg] Update of mntner object with mixed authentication
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]