[db-wg] Proposal for restricting authentication concerning use of revoked and expired GPG ID's in key-cert objects
- Previous message (by thread): [db-wg] Whois Release 1.93
- Next message (by thread): [db-wg] Proposal for restricting authentication concerning use of revoked and expired GPG ID's in key-cert objects
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Edward Shryane
eshryane at ripe.net
Mon Feb 11 15:55:45 CET 2019
Dear Working Group, to follow up on this discussion, the upcoming Whois 1.93 release will implement the following changes: - Updates signed with an expired PGP key or X509 certificate will now FAIL (currently a warning is generated). - Updates will FAIL one hour after they are signed, and also updates signed more than one hour in the future. - Updates to key-cert objects with an Expired or Revoked public key (or certificate) will FAIL. To measure the potential impact of these changes, I reviewed all Whois updates between October - December 2018. - Approximately 4% of all updates are signed with a PGP key or X509 certificate. - 99% of X509 key-cert certificates are expired. I found 5 X509 signed updates with an expired key. - 16% of PGP key-cert keys are expired. I found 63 PGP signed updates with an expired key. - I found 24 PGP signed updates more than one hour in the past, and none signed in the future. We will notify maintainers of expired key-cert objects separately (by email) of this upcoming change. Regards Ed Shryane RIPE NCC > On 1 Nov 2018, at 15:35, Christoffer Hansen (Lists) via db-wg <db-wg at ripe.net> wrote: > > Dear DB WG, > > It came to my attention the RIPE NCC Database does not do validation of > signed updates. (Other than checking the key is allowed to sign updates > for object(s) in question) > > I got the understanding from writing to DB-WG-Chairs this was a decision > made years back. > > I think is less than optimal from a security perspective an signed > update (with GPG and/or X509 certs) is not validated against (1) when > the update was signed (E.g. signing was done 10 minutes ago) and (2) > that the expiration date for the keys are not validated. > > Usually I will expect if I revoke a GPG-key|X509-cert. It cannot be used > any more. But the RIPE NCC Database does still allow this currently. > This is relevant in the case I ever lose a private GPG-key|X509-cert to > less than friendly 3rd-parties. And the lost private GPG-key|X509-cert > is the one used for signing updates to the database. > > What I have in mind. Is the RIPE NCC Database begins verifying validity > (not revoked and/or expired) of GPG-key|X509-cert used to sign updates with. > > Christoffer >
- Previous message (by thread): [db-wg] Whois Release 1.93
- Next message (by thread): [db-wg] Proposal for restricting authentication concerning use of revoked and expired GPG ID's in key-cert objects
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]