Dear colleagues, Thank you all for your feedback so far, it is very helpful. I will attempt to summarise as follows (please correct me as necessary): (1) There is a strong preference for shared credentials at the LIR account level, independent of individual users. If a user leaves the company, the shared credential should not automatically expire. The organisation must be able to maintain the API keys including listing and invalidating them. (2) Include scope(s) when creating an API key, such as limiting the source IP ranges. (3) Include API key expiry. Allow API keys to optionally expire, depending on the scope. (4) Make sure there is comprehensive documentation for API keys to help with adoption. I will discuss internally how we can accommodate your feedback and how it affects the migration plan away from MD5 hashed passwords. Regards Ed Shryane RIPE NCC
On 18 Sep 2024, at 17:39, Edward Shryane <eshryane@ripe.net> wrote:
Dear colleagues,
At RIPE 88 during the DB-WG session, I mentioned the need to replace MD5 hashed passwords that are used for authenticating updates in the RIPE Database. Now I’d like to present an impact analysis of doing this, what the alternatives are, and a draft migration plan.
Please let me know your feedback. I plan to finalise the contents and present at RIPE 89 next month.
Regards Ed Shryane RIPE NCC