[db-wg] Signature expiration check proposal
- Previous message (by thread): [db-wg] Signature expiration check proposal
- Next message (by thread): [db-wg] mntner creation
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Joao Damas
joao-ripe at c-l-i.net
Mon Jul 25 14:31:44 CEST 2005
excellent idea, I would even propose the allowed time to be shorter, like one day or two (at most) Joao On 21 Jul, 2005, at 14:49, Katie Petrusha wrote: > Dear Colleagues, > > This is a proposal about changes to how the whois database software > checks > PGP and X.509 signatures on incoming updates. > > Currently the software checks that the PGP signature is valid by > using Gnu > Privacy Guard (GnuPG). It verifies X.509 signatures with an OpenSSL > (Secure > Sockets Layer) tool. > > We propose to change the software, so that it also checks the > signature > creation date. If the signature is older than one week, it will be > rejected > and the update will fail. > > This is to prevent replay attacks on database objects. We became > aware of this potential threat when we designed the DNSSEC > provisioning > system. > > -- > Katie Petrusha > RIPE NCC > >
- Previous message (by thread): [db-wg] Signature expiration check proposal
- Next message (by thread): [db-wg] mntner creation
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]