Search RPD Archives
[AFRINIC-rpd] whois.afrinic.net leaks passwords
Nii Narku Quaynor
quaynor at ghana.com
Thu Nov 22 14:29:49 UTC 2012
Filter as you have planned.
...ehh, It would be helpful to also appreciate what other RIRs have done/are doing about this as BCP
On Nov 22, 2012, at 8:02, Adiel Akplogan <adiel at afrinic.net> wrote:
> On 2012-11-22, at 10:49 AM, Guy Antony Halse <G.halse at ru.ac.za> wrote:
>> On Thu 2012-11-22 (09:50), Adiel Akplogan wrote:
>>> Our thinking is around a) Encouraging people to use PGP or X.509
>>> instead of MD-5 b) Doing what you are suggesting and filter
>>> out the MD-5 encrypted password while displaying mntner queries
>>> output, and/or c) gradually phase out MD-5 completely to only allow
>>> PGP and X.509. In my sense a combination of (b) and (c) could be
>>> the appropriate way to handle this for the long term.
>> Or d) introduce an alternative as-yet-uncompromised password encryption
>> mechanism, such as SHA512. (perhaps whilst still doing b)).
> Thanks, we will investigate this option as well.
>> Or e) extend my.afrinic.net to provide a web interface for maintaining
>> objects (the current version doesn't support all objects).
> Yes this is already in the pipe with other improvement to be release
> next year in MyAFRINIC v.2
>> Or f) provide an HTTP-based API (as EPP did for DNS). This would
>> allow/encourage people to automate maintenance tasks.
> Interesting and will be looked at as well.
>> Sticking with e-mail, while I personally like the idea of X.509 (S/MIME), it
>> raises the barrier to entry for smaller members and might be difficult to
>> manage in a large environment. (A password is easy to store in an
>> enterprise password safe, and easy for a number of people to use.)
> Understood … but we try to give as much as reliable options to the
> community to decide by themselves.
>> There's a lot to be said for keeping it simple.
> Agree, and thank you for your input.
> - a.
> rpd mailing list
> rpd at afrinic.net
More information about the RPD