Hi Tore, Thanks for your feedback.
On 19 Sep 2024, at 10:46, Tore Anderson <tore@fud.no> wrote:
... Hi Ed,
I'm very supportive of the idea of being able to use API keys to maintain the RIPE database content. However, I'd like to point out a fundamental difference between MD5 passwords and the API key implementation you outline, namely that the MD5 passwords are per maintainer while the API keys are per user account.
This means that they cannot actually be used in the same way, because a maintainer password will keep working even as LIR staff rotate, but a user's API key will not.
Correct, MD5 hashed passwords can be shared, and API keys are intended to be created and used by a singe user.
This in turn makes the API keys unsuitable for use by automated systems (e.g., integration with an IPAM system), as one certainly do not want those to stop working simply because the person who created the API key in the first place quit the company and had their user account deleted.
However, if someone leaves a company, any credentials they had knowledge of should be changed. They should not have continued access to make updates on behalf of the company. Once a users SSO account is removed from a maintainer, any associated API keys will no longer authenticate changes as that maintainer. If IPAM integration stop working, it must be straightforward to identify the cause and solution (i.e. that API key no longer works, generate a new one).
To remedy this I suggest that you make it possible to create API keys on the LIR account level as well, i.e., independent of individual user accounts.
Tore
We will review any use cases not supported by the switch to API keys. We want to make the migration away from passwords as straightforward as possible. Regards Ed Shryane RIPE NCC