[AFRINIC-rpd] whois.afrinic.net leaks passwords

[Adiel Akplogan]

On 2012-11-22, at 10:49 AM, Guy Antony Halse <G.halse at ru.ac.za> wrote:
> On Thu 2012-11-22 (09:50), Adiel Akplogan wrote:
>> Our thinking is around a) Encouraging people to use PGP or X.509 
>> instead of MD-5 b) Doing what you are suggesting and filter
>> out the MD-5 encrypted password while displaying mntner queries 
>> output, and/or c) gradually phase out MD-5 completely to only allow 
>> PGP and X.509. In my sense a combination of (b) and (c) could be 
>> the appropriate way to handle this for the long term. 
> 
> Or d) introduce an alternative as-yet-uncompromised password encryption
> mechanism, such as SHA512. (perhaps whilst still doing b)).

Thanks, we will investigate this option as well.

> Or e) extend my.afrinic.net to provide a web interface for maintaining
> objects (the current version doesn't support all objects).

Yes this is already in the pipe with other improvement to be release 
next year in MyAFRINIC v.2

> Or f) provide an HTTP-based API (as EPP did for DNS).  This would
> allow/encourage people to automate maintenance tasks.

Interesting and will be looked at as well.

> Sticking with e-mail, while I personally like the idea of X.509 (S/MIME), it
> raises the barrier to entry for smaller members and might be difficult to
> manage in a large environment.  (A password is easy to store in an
> enterprise password safe, and easy for a number of people to use.)  

Understood … but we try to give as much as reliable options to the 
community to decide by themselves.

> There's a lot to be said for keeping it simple.

Agree, and thank you for your input.

- a.