[ncc-services-wg] Re: [db-wg] X.509 authentication in the RIPE Database, take II
- Previous message (by thread): [ncc-services-wg] X.509 authentication in the RIPE Database, take II
- Next message (by thread): [ncc-services-wg] Re: [db-wg] X.509 authentication in the RIPE Database, take II
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Joao Luis Silva Damas
joao at psg.com
Fri Aug 15 15:24:41 CEST 2003
Shane, adding a new strong authentication method to the Database, is in my own personal opinion, a good thing(tm), particularly if the same credential can be used for other interactions with the RIPE NCC, make user's life easier. I wonder however about a few questions: - will this auth method be available only to RIPE NCC members? Is it not seen as a valuable general addition for non-member users of the IRR part of the RIPE DB? - Why the choice of not publishing the pulic part of the certificated in the DB? The choice to have a key-cert for the PGP method was not to do with issues of web of trust but rather for purposes of helping the users with their data maintenance. As a matter of fact the recommendation regarding the use of PGP in the RIPE DB, as described in the RFC and the minutes of the DBSEC TF, was to use a PGP key for this purpose that was not used elsewhere. - will the RIPE NCC make avaiable, at the time of implementation, documentation to guide use of this feature by users with a couple of the most popular clients? Thanks for the good work, Joao Damas On Thursday, August 14, 2003, at 06:24 PM, Shane Kerr wrote: > All, > > [Apologies for duplicate e-mails] > > Attached please find a proposal for X.509 authentication in the RIPE > Database. From the Database point of view (that is, syntax and > semantics), it is the same as the one sent 3 July 2003. The > difference is that it contains only the specific details of the > change, in a straightforward fashion. > > I hope that we have addressed questions about the use of X.509 that > arose in earlier discussions. > > -- > Shane Kerr > RIPE NCC > Addition of X.509 authentication to the Database > > > Proposal: > > To add an X509 authentication type to the "auth:" attribute. > Attributes with this type will use the Distinguished Name (DN) of the > certificate to identify it. > > > Motivation: > > X.509 allows a single authentication method to work for both e-mail > and the web. LIRs can receive an X.509 certificate through the LIR > Portal, and should be able to use this to update records they control > in the Database. X.509 is "strong", like PGP, although a different > trust model is used. > > > Details: > > The "auth:" attribute of the mntner class will have a new > authentication scheme, X509. The DN, as defined in RFC 2253, will be > used to identify the specific certificate used. > > Note that there is no key-cert object for the X509 scheme. Instead, > the certificate must be signed by a trusted authority. The trusted > authority will be the RIPE NCC Certificate Authority (CA) that is > currently only available to LIRs. It is possible to configure > additional CAs in future, should this become desirable. For instance, > existing commercial CAs could be allowed, or the RIPE NCC could create > a CA to issue certificates to non-LIRs for this purpose only. > > Below is an example of a maintainer with X.509 authentication: > > mntner: EXAMPLE-MNT > descr: Sample maintainer for example. > admin-c: SWK1-RIPE > tech-c: RD132-RIPE > tech-c: HOHO-RIPE > upd-to: ripe-dbm at ripe.net > mnt-nfy: ripe-dbm at ripe.net > auth: X509 C=NL, O=RIPE NCC, OU=Members, CN=zz.example.user1 > auth: X509 C=NL, O=RIPE NCC, OU=Members, CN=zz.example.user2 > notify: ripe-dbm at ripe.net > mnt-by: EXAMPLE-MNT > referral-by: RIPE-DBM-MNT > changed: ripe-dbm at ripe.net 20030813 > source: RIPE > > > Usage: > > E-mail updates for objects maintained by a maintainer with X509 > authentication must be sent in S/MIME format and signed (not > encrypted) using the private key associated with the issued > certificate. > > Synchronous updates for objects maintained by a maintainer with X509 > authentication must use an SSL connection using the private key from > the issued certificate on the client side. > > Web updates for objects maintained by a maintainer with X509 > authentication can use a browser with the certificate loaded. The web > updates screens will allow users to specify that they want to identify > themselves using the client-side private key, over an SSL connection. >
- Previous message (by thread): [ncc-services-wg] X.509 authentication in the RIPE Database, take II
- Next message (by thread): [ncc-services-wg] Re: [db-wg] X.509 authentication in the RIPE Database, take II
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]