[db-wg] Proposal for restricting authentication concerning use of revoked and expired GPG ID's in key-cert objects
- Previous message (by thread): [db-wg] Proposal for restricting authentication concerning use of revoked and expired GPG ID's in key-cert objects
- Next message (by thread): [db-wg] Policies and Guidelines for Assignments for Network Infrastructure and End User Networks
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Gert Doering
gert at space.net
Mon Nov 5 17:56:31 CET 2018
Hi, On Mon, Nov 05, 2018 at 04:12:10PM +0100, Edward Shryane via db-wg wrote: > Should the RIPE database refuse to apply updates that were signed more than 'n' minutes ago (or in the future) ? I think this would be a valuable improvement. > > Usually I will expect if I revoke a GPG-key|X509-cert. It cannot be used > > any more. But the RIPE NCC Database does still allow this currently. > > This is relevant in the case I ever lose a private GPG-key|X509-cert to > > less than friendly 3rd-parties. And the lost private GPG-key|X509-cert > > is the one used for signing updates to the database. > > Revoked keys indeed cannot be used any more. To revoke a key, you will need to update the existing key-cert object with the revoked version. You can also delete the key-cert object. > > Is it enough to update or delete a revoked key? Should the RIPE database process key revocation certificates? One of the problems here is that the RIPE DB cannot reliably know if a GPG key is revoked, unless it is *told*. "Telling it" can be done nicely by removing the key-cert object - otherwiese it would need to poll key-servers and hope for a key revocation to appear there. A catch-22 arises if the key-cert object needs a signed update with that very key to be deleted... (Not providing solutions, just bringing up aspects to consider) Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <https://lists.ripe.net/ripe/mail/archives/db-wg/attachments/20181105/36f5a9d3/attachment.sig>
- Previous message (by thread): [db-wg] Proposal for restricting authentication concerning use of revoked and expired GPG ID's in key-cert objects
- Next message (by thread): [db-wg] Policies and Guidelines for Assignments for Network Infrastructure and End User Networks
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]