[db-wg] Proposal for restricting authentication concerning use of revoked and expired GPG ID's in key-cert objects
- Next message (by thread): [db-wg] Idea: magic mntner for all LIR contacts
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Christoffer Hansen
christoffer at netravnen.de
Sat Dec 1 17:00:46 CET 2018
On 05/11/2018 17:56, Gert Doering wrote: > On Mon, Nov 05, 2018 at 04:12:10PM +0100, Edward Shryane via db-wg wrote: >> Is it enough to update or delete a revoked key? Should the RIPE database process key revocation certificates? > > One of the problems here is that the RIPE DB cannot reliably know if > a GPG key is revoked, unless it is *told*. > > "Telling it" can be done nicely by removing the key-cert object - otherwiese > it would need to poll key-servers and hope for a key revocation to appear > there. I suggest just removing the key-cert object. Instead of updating the key-cert object with a revoked version. > A catch-22 arises if the key-cert object needs a signed update with that > very key to be deleted... I would not use this approach of requiring a signed update to remove the key. If an authenticated SSO account is signed into the RIPE NCC website and tries to remove a key-cert object the DB. This should be allowed. -- Christoffer Hansen -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: OpenPGP digital signature URL: <https://lists.ripe.net/ripe/mail/archives/db-wg/attachments/20181201/34e90939/attachment.sig>
- Next message (by thread): [db-wg] Idea: magic mntner for all LIR contacts
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]