[db-wg] Disallowing MD5 passwords in e-mail updates, was MD5 Hashes in the database
- Previous message (by thread): [db-wg] Disallowing MD5 passwords in e-mail updates, was MD5 Hashes in the database
- Next message (by thread): [db-wg] Disallowing MD5 passwords in e-mail updates, was MD5 Hashes in the database
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Damien Cauquil
virtualabs at gmail.com
Wed Nov 9 11:47:08 CET 2011
I see. Thank you for this explanation. Damien On Wed, Nov 9, 2011 at 11:15 AM, Shane Kerr <shane at time-travellers.org>wrote: > Dear unnamed person, > > This is not the RIPE NCC's database... they maintain it, and they use > it, but it is the RIPE Database - for the entire RIPE community. > > Still, preventative steps have been taken - if you download the data on > maintainers then the passwords are not present. Also, the database > limits the volume of queries that users can make, to prevent harvesting > that way. These were done with coordination of the RIPE community. > > The RIPE Database has always been completely public. The idea is that > you do not have to trust the RIPE NCC to keep secrets. This protects the > RIPE NCC, and it also protects us, the users. It also prevents users > accidentally exposing secret information by confusing which parts are > public and which are private - it is all public. In my mind there are > valid reasons to be concerned with hiding *any* of the RIPE Database, > although at the end I think it is the right thing to do. > > Also, this is mostly a registration database we're talking about here. > If records are altered nobody will have their credit card charged, and > nobody will lose their allocations; probably the worst case is that > someone will be unable to get routed properly for a time. The RIPE > Database keeps an entire history of all transactions, so that if > authentication was compromised then the invalid changes could be rolled > back easily once discovered. (At least this used to be how it works; > perhaps that has changed?) > > There are reasons why the Database is the way it is. It is not the RIPE > NCC avoiding responsibility. > > -- > Shane > > On Wed, 2011-11-09 at 10:55 +0100, virtu virtualabs wrote: > > So it is up to the community to move from MD5 authentication to > > stronger authentication methods ? No preventive steps would be taken > > to avoid MD5 hashes disclosure on the RIPE website ? > > > > On Wed, Nov 9, 2011 at 10:38 AM, Nigel Titley <nigel at titley.com> > > wrote: > > On Tue, 2011-11-08 at 15:01 +0100, virtu virtualabs wrote: > > > That would mean RIPE NCC did not do anything while people > > has been > > > aware of this fact since 2 years ? > > > > > > This problem is well known, both by the RIPE DB working group > > (which is > > what makes the policy, not the RIPE NCC) and also the RIPE NCC > > itself. > > It's been discussed for many years (not just 2) and the use of > > better > > authentication methods has been recommended (and have also > > been > > available for many years). > > > > However, the community seems to wish to continue to use plain > > text > > passwords in emails, together with MD5 hashing. > > > > Nigel > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.ripe.net/ripe/mail/archives/db-wg/attachments/20111109/5b38baf8/attachment.html>
- Previous message (by thread): [db-wg] Disallowing MD5 passwords in e-mail updates, was MD5 Hashes in the database
- Next message (by thread): [db-wg] Disallowing MD5 passwords in e-mail updates, was MD5 Hashes in the database
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]