About RIPE | Contact  | Search | Sitemap    
Homepage RIPE  
RIPE Community Mail Archives
search  
     
Next Sectionyou are here: RIPE -> RIPE Maillists > Archives
RIPE Navigation Ends
About RIPE Maillists
Maillists Archive
Global Lists
Non Active Lists
RIPE NCC Navigation Ends
Next Section
<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

Re: [db-wg] Signature expiration check proposal

  • To: Database WG <
    >
  • From: Joao Damas <
    >
  • Date: Mon, 25 Jul 2005 14:31:44 +0200
excellent idea, I would even propose the allowed time to be shorter, like one day or two (at most)

Joao

On 21 Jul, 2005, at 14:49, Katie Petrusha wrote:

Dear Colleagues,

This is a proposal about changes to how the whois database software checks
PGP and X.509 signatures on incoming updates.

Currently the software checks that the PGP signature is valid by using Gnu
Privacy Guard (GnuPG). It verifies X.509 signatures with an OpenSSL (Secure
Sockets Layer) tool.

We propose to change the software, so that it also checks the signature
creation date. If the signature is older than one week, it will be rejected
and the update will fail.

This is to prevent replay attacks on database objects. We became
aware of this potential threat when we designed the DNSSEC provisioning
system.

--
Katie Petrusha
RIPE NCC
Post To The List:

Message References

<<< Chronological >>> Author    Subject <<< Threads >>>
 

Next Section
     About RIPE | Site Map | LIR Portal | About the RIPE NCC | Contact | Copyright Statement
RIPE.NET Homepage LIR Portal RIPE Community