Signature expiration check proposal
This is a proposal about changes to how the whois database software checks PGP and X.509 signatures on incoming updates.
Currently the software checks that the PGP signature is valid by using Gnu Privacy Guard (GnuPG). It verifies X.509 signatures with an OpenSSL (Secure Sockets Layer) tool.
We propose to change the software, so that it also checks the signature creation date. If the signature is older than one week, it will be rejected and the update will fail.
This is to prevent replay attacks on database objects. We became aware of this potential threat when we designed the DNSSEC provisioning system.