[Community-Discuss] post ipv4 depletion frauds, brokers activities

[Nishal Goburdhan]

On 25 Jun 2016, at 13:54, Honest Ornella GANKPA wrote:

> Hi Nishal,

hi,

> 2016-06-25 3:22 GMT+01:00 Nishal Goburdhan 
> <nishal at controlfreak.co.za>:
>
>> On 24 Jun 2016, at 21:06, Honest Ornella GANKPA wrote:
>>
>> It is quite scary actually that even the RIR is promoting such bad
>>> practices on the pretense of simplicity
>>
>> i disagree.
>> and i’m not quite sure you see the double standard here.
>>
>> you (meaning: a general user) are happy to use your user name and
>> password, and give your credit card details (ie. real money) to the 
>> afrinic
>> website, based simply on your acceptance of a perceived 3rd party 
>> valid
>> certificate implying identification  (it’s true;  the payment bits 
>> at
>> my.afrinic.net don’t require more than a simple authenticated user 
>> login).
>> that same set of authentication information, is needed to *manage* 
>> your
>> resources - that critical thing that your network needs -  on a daily 
>> basis.
>> but yet, somehow you think that this same set of 
>> validation/authentication
>> criteria isn’t good enough for specific bits of the website?
>> i like to see evidence (proof).  it could be easily argued that, 
>> since the
>> e-voting process was Made Simpler (tm) more people used it this year; 
>>  i
>> don’t recall the actual numbers, but i’m told that there were 
>> *more*
>> e-voters users this year, than last, eh?
>>
>> do i wish afrinic would improve security around my.afrinic?  heck 
>> yes;  i
>> logged ticket #249014 with afrinic in october 2014 asking for 2FA, 
>> which,
>> i’m told is slated for sometime in 2016.  (my ticket is still 
>> open!)   i
>> think that 2FA would be a better security deterrent than a bpki cert.
>
>
> I'm not quite sure I get where you are disagreeing with me in your 
> email?

you asserted:
“RIR is promoting such bad practices”
i disagree;  i don’t see afrinic as promoting any bad practice.

you asserted:
“..pretense of simplicity”
i disagree;  i don’t think this is a pretence.

i genuinely think that this was an attempt to make access, to more of 
the member portal, easier and simpler to use.
(and - this year at least - the online voting community seems to agree 
with me)


> I believe we both agree that a more secure myAfrinic would be 
> beneficial for
> all. Now wether 2 factor authentication or rpki would be better, I 
> would
> need to research 2 factor authentication to have an opinion.

to be clear, rpki is not necessary for access to all of the 
my.afrinic.net portal (although that, itself, is an interesting idea 
;-))
you need a certificate attesting to your identity to access part of the 
member portal.
this certificate is issue by afrinic;  what’s loosely been called a 
“bpki certificate”



> Surely removing an authentication security is not just a mere 
> operational
> change?

i believe it is;  in keeping with me earlier mentioned DNS example, 
there was no consensus required when afrinic changes TSIG keys were 
changed from once type to another?   or when SSL was removed from the 
member portal, in favour of TLS.  or .. ?

let’s use the example i mentioned;  afrinic is hopefully working on my 
(and other members’ requests) to get 2FA working.
i don’t think they need member consensus to do that (ie. perform work 
to get this working).  hopefully, afrinic’s technical management 
understood the use-case here, and were able to allocate it a relative 
priority in their internal development process, and provide a simple 
yay/nay/say-when type of answer.  they certainly do not need me, or 
anyone else, telling them if/when/how to implement.
and when (see, i’m hopeful! :-))  2FA is available, i don’t expect a 
bylaw change.  nor member consensus to use, or activate, it.

i would *like* - nay, prefer - afrinic to offer the option to members to 
use the service, or not.  (ie.  not force member’s into one particular 
route).  and i’m eager to see how they approach this.

—n.