Hi Ed Thanks for following up on this. Just one question, have you taken into account time zones? If an update is signed now in Dubai it is 19:51. If the update is processed on Amsterdam time, it is 16:51. Will this update fail because it is 3 hours in the future? cheersdenisco-chair DB-WG From: Edward Shryane via db-wg <db-wg@ripe.net> To: db-wg <db-wg@ripe.net> Sent: Monday, 11 February 2019, 15:55 Subject: Re: [db-wg] Proposal for restricting authentication concerning use of revoked and expired GPG ID's in key-cert objects Dear Working Group, to follow up on this discussion, the upcoming Whois 1.93 release will implement the following changes: - Updates signed with an expired PGP key or X509 certificate will now FAIL (currently a warning is generated). - Updates will FAIL one hour after they are signed, and also updates signed more than one hour in the future. - Updates to key-cert objects with an Expired or Revoked public key (or certificate) will FAIL. To measure the potential impact of these changes, I reviewed all Whois updates between October - December 2018. - Approximately 4% of all updates are signed with a PGP key or X509 certificate. - 99% of X509 key-cert certificates are expired. I found 5 X509 signed updates with an expired key. - 16% of PGP key-cert keys are expired. I found 63 PGP signed updates with an expired key. - I found 24 PGP signed updates more than one hour in the past, and none signed in the future. We will notify maintainers of expired key-cert objects separately (by email) of this upcoming change. Regards Ed Shryane RIPE NCC
On 1 Nov 2018, at 15:35, Christoffer Hansen (Lists) via db-wg <db-wg@ripe.net> wrote:
Dear DB WG,
It came to my attention the RIPE NCC Database does not do validation of signed updates. (Other than checking the key is allowed to sign updates for object(s) in question)
I got the understanding from writing to DB-WG-Chairs this was a decision made years back.
I think is less than optimal from a security perspective an signed update (with GPG and/or X509 certs) is not validated against (1) when the update was signed (E.g. signing was done 10 minutes ago) and (2) that the expiration date for the keys are not validated.
Usually I will expect if I revoke a GPG-key|X509-cert. It cannot be used any more. But the RIPE NCC Database does still allow this currently. This is relevant in the case I ever lose a private GPG-key|X509-cert to less than friendly 3rd-parties. And the lost private GPG-key|X509-cert is the one used for signing updates to the database.
What I have in mind. Is the RIPE NCC Database begins verifying validity (not revoked and/or expired) of GPG-key|X509-cert used to sign updates with.
Christoffer