[db-wg] Signature expiration check proposal
-
From: Katie Petrusha <>
-
Date: Thu, 21 Jul 2005 14:49:34 +0200
Dear Colleagues,
This is a proposal about changes to how the whois database software checks
PGP and X.509 signatures on incoming updates.
Currently the software checks that the PGP signature is valid by using Gnu
Privacy Guard (GnuPG). It verifies X.509 signatures with an OpenSSL (Secure
Sockets Layer) tool.
We propose to change the software, so that it also checks the signature
creation date. If the signature is older than one week, it will be rejected
and the update will fail.
This is to prevent replay attacks on database objects. We became
aware of this potential threat when we designed the DNSSEC provisioning
system.
--
Katie Petrusha
RIPE NCC
|
you are here: RIPE -> RIPE Maillists > Archives
