<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>
</p>
<p class="MsoNormal"><font face="Times New Roman, Times, serif"><span
style="mso-ansi-language:EN-US" lang="EN-US">Dear dbwg,</span></font></p>
<p class="MsoNormal"><font face="Times New Roman, Times, serif"><span
style="mso-ansi-language:EN-US" lang="EN-US"><br>
</span></font></p>
<font face="Times New Roman, Times, serif">
</font>
<p class="MsoNormal"><font face="Times New Roman, Times, serif"><span
style="mso-ansi-language:EN-US" lang="EN-US">I refer to
concern related to some of our system ranking low on security
tools. First of
all, we want to express our thanks for raising your concern
about the MyAfrinic
platform in particular. We are aware of this challenge and you
can be assured
that it is of a concern for us as well.</span></font></p>
<font face="Times New Roman, Times, serif">
</font>
<p class="MsoNormal"><font face="Times New Roman, Times, serif"><span
style="mso-ansi-language:EN-US" lang="EN-US">A project
to revamp of MyAfrinic has kicked off already and development
is ongoing. While
this project may take some time to be fully released, we also
worked on an
immediate fix. <span style="mso-spacerun:yes"> </span>The fix
is ready to be
deployed but due to the proximity with AIS’20 we dim wiser to
reschedule the deployment
after AIS’20. We need all the stakeholder fully dedicate to
perform required
and extensive test before the fix is pushed onto production
system.</span></font></p>
<font face="Times New Roman, Times, serif">
</font>
<p class="MsoNormal"><font face="Times New Roman, Times, serif"><span
style="mso-ansi-language:EN-US" lang="EN-US">Our plans to
release the fix will be communicated via the usual channels
but it should not
go beyond October 2020. Thanking you again for you
collaboration and support. </span></font></p>
<font face="Times New Roman, Times, serif">
</font>
<p class="MsoNormal"><font face="Times New Roman, Times, serif"><span
style="mso-ansi-language:EN-US" lang="EN-US">Best
regards,</span></font></p>
<p class="MsoNormal"><span style="mso-ansi-language:EN-US"
lang="EN-US"><br>
</span></p>
<p>
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;
mso-font-charset:0;
mso-generic-font-family:roman;
mso-font-pitch:variable;
mso-font-signature:-536870145 1107305727 0 0 415 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;
mso-font-charset:0;
mso-generic-font-family:swiss;
mso-font-pitch:variable;
mso-font-signature:-536859905 -1073732485 9 0 511 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-parent:"";
margin:0cm;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-fareast-language:EN-US;}
.MsoChpDefault
{mso-style-type:export-only;
mso-default-props:yes;
font-family:"Calibri",sans-serif;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-fareast-language:EN-US;}size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;
mso-header-margin:36.0pt;
mso-footer-margin:36.0pt;
mso-paper-source:0;}
div.WordSection1
{page:WordSection1;}</style></p>
<pre class="moz-signature" cols="72">--
_______________________________________________________________
Cedrick Adrien Mbeyet
IT Infrastructure Unit Manager, AFRINIC Ltd.
t: +230 403 5100 / 403 5115 | f: +230 466 6758 | tt: @afrinic | w: <a class="moz-txt-link-abbreviated" href="http://www.afrinic.net">www.afrinic.net</a>
facebook.com/afrinic | flickr.com/afrinic | youtube.com/afrinicmedia
______________________________________________________</pre>
<div class="moz-cite-prefix">On 24/08/2020 19:29, Nishal Goburdhan
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:40B10D9D-D925-4F6A-877C-9FFC86ABD7F0@controlfreak.co.za">On
24 Aug 2020, at 11:05, Simon Seruyinda wrote:
<br>
<br>
<blockquote type="cite">Dear DBWG
<br>
<br>
We have had discussions internally regarding the changed
attribute and we acknowledge the challenges sorrounding its
effectiveness and accuracy as a reliable source of who made the
changes and when.
<br>
Current WHOIS behaviour does not force the addition of a changed
attribute during an update if one already exists.
<br>
</blockquote>
<br>
this is not my experience. but i might be an anomaly.
<br>
<br>
<br>
<blockquote type="cite">Besides validating that the email address
the user provides is a valid one,
<br>
</blockquote>
<br>
to be clear, this validation does not occur; you probably mean
that there is check for something resembling email syntax.
<br>
that is not the same as a valid email address ..
<br>
<br>
<br>
<blockquote type="cite">the changed attribute is for the users own
reference.
<br>
Nothing can be determined by a third party by looking at the
email address provided here.
<br>
As pointed out by Frank, currently the date is not validated to
confirm that it matches the date when update is being done, but
we can change this to make it auto-generated.
<br>
</blockquote>
<br>
timestamping in UTC seem to be the rational thing to do..
<br>
<br>
<br>
<blockquote type="cite">In our internal discussions, the following
options were considered:
<br>
<br>
1. Eliminate other avenues of creating and updating WHOIS
objects such as webupdate and auto-dbm and leave only myafrinic.
<br>
</blockquote>
<br>
NO!
<br>
<br>
do you really mean to trade my pgp-signed updates, where *i*
control my private key, for a system that sends out passwords in
plain text, and fails basic best practices for web security [1]
despite being warned repeatedly? i am all for securing access to
the db; please explain how removing my access to pgp-signed mail,
promotes that notion?
<br>
<br>
<br>
<blockquote type="cite">Allow non-registered contacts to register
on the portal with limited access to specific functionality so
that when a change or creation of an object is done, we know
exactly who is making the updates. This would enable us to
auto-generate the changed attribute. This would be possible in
myafrinic v2 which is currently under development.
<br>
</blockquote>
<br>
i can understand why it is easy to think that myafrinic2 will be a
panacea. but with no release date, or upcoming feature list, or
[..] (i looked on both your website, and your portal, and could
not see a release/feature schedule), i feel less comfortable about
expecting anything from this project. also - whilst your portal
is likely fine for folks that want to
click-through-to-make-irregular-changes, and i applaud efforts to
make this as easy to use as possible for them, you’re forgetting:
<br>
# ben’s quite reasonable request for an API for larger networks
that need the automation to scale
<br>
# “email” .. is just another API .. (well, loosely ;-))
<br>
<br>
<br>
<blockquote type="cite">2. Slowly deprecate the changed attribute
and replace it with two auto-generated attributes namely created
and last-updated or last-modified both of which would take the
date whose format we can discuss and agree upon here.
<br>
</blockquote>
<br>
i think most people don’t care what you call it; the principles
are simple:
<br>
# lock in maintainers for everything; make these immutable (do
*NOT* allow people to remove them (even intentionally) and if it
means that you need to make the time during the Great StayHome of
2020 to schedule 1-on-1 telephone calls with those, fewer than
ten[2], users that removed their auto-generated maintainer, then
*DO IT* for the sake of better security for all;
<br>
# generated the timestamp for changed / last-updated /
call-it-what-you-want based on $transaction_time authenticated by
$authorised_mnter;
<br>
# generated the “who changed it” (call it what you want) from the
mnter.
<br>
<br>
at least this is how i read ben’s quite sensible suggestion
earlier.
<br>
what, from the above, do you need this working group to help
with? community consensus around mandatory maintainerS? :-)
<br>
<br>
<br>
<blockquote type="cite">How have other RIRs handled this?
<br>
<br>
RIPE:
<br>
Began deprecation of the changed attribute in 2015, and replaced
it with created and last-modified attributes.
<br>
<a class="moz-txt-link-freetext" href="https://labs.ripe.net/Members/tim/deprecating-the-changed-attribute-in-the-ripe-database">https://labs.ripe.net/Members/tim/deprecating-the-changed-attribute-in-the-ripe-database</a>
<br>
<br>
APNIC:
<br>
Replaced the changed attribute with the last-modified attribute
<br>
<a class="moz-txt-link-freetext" href="https://www.apnic.net/get-ip/faqs/last-modified-attribute/">https://www.apnic.net/get-ip/faqs/last-modified-attribute/</a>
<br>
</blockquote>
<br>
i admit i didn’t think of the anti-spam thing; so yeah, i have no
issue hiding the email address in a regular query, as long as it
can be retrieved via a --history option (-B ?) or something
similar.
<br>
<br>
-n.
<br>
<br>
[1] <a class="moz-txt-link-freetext" href="https://observatory.mozilla.org/analyze/my.afrinic.net">https://observatory.mozilla.org/analyze/my.afrinic.net</a>
that’s just one. feel free to look through other similar tools.
<br>
[2]
<a class="moz-txt-link-freetext" href="https://lists.afrinic.net/pipermail/dbwg/2020-August/000216.html">https://lists.afrinic.net/pipermail/dbwg/2020-August/000216.html</a>
<br>
<br>
_______________________________________________
<br>
DBWG mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:DBWG@afrinic.net">DBWG@afrinic.net</a>
<br>
<a class="moz-txt-link-freetext" href="https://lists.afrinic.net/mailman/listinfo/dbwg">https://lists.afrinic.net/mailman/listinfo/dbwg</a>
<br>
</blockquote>
</body>
</html>