Hi Ed

Thanks for following up on this. Just one question, have you taken into account time zones? If an update is signed now in Dubai it is 19:51. If the update is processed on Amsterdam time, it is 16:51. Will this update fail because it is 3 hours in the future?

cheers
denis
co-chair DB-WG



From: Edward Shryane via db-wg <db-wg@ripe.net>
To: db-wg <db-wg@ripe.net>
Sent: Monday, 11 February 2019, 15:55
Subject: Re: [db-wg] Proposal for restricting authentication concerning use of revoked and expired GPG ID's in key-cert objects

Dear Working Group,

to follow up on this discussion, the upcoming Whois 1.93 release will implement the following changes:

- Updates signed with an expired PGP key or X509 certificate will now FAIL (currently a warning is generated).
- Updates will FAIL one hour after they are signed, and also updates signed more than one hour in the future.
- Updates to key-cert objects with an Expired or Revoked public key (or certificate) will FAIL.

To measure the potential impact of these changes, I reviewed all Whois updates between October - December 2018.

- Approximately 4% of all updates are signed with a PGP key or X509 certificate.
- 99% of X509 key-cert certificates are expired. I found 5 X509 signed updates with an expired key.
- 16% of PGP key-cert keys are expired. I found 63 PGP signed updates with an expired key.
- I found 24 PGP signed updates more than one hour in the past, and none signed in the future.

We will notify maintainers of expired key-cert objects separately (by email) of this upcoming change.

Regards
Ed Shryane
RIPE NCC


> On 1 Nov 2018, at 15:35, Christoffer Hansen (Lists) via db-wg <db-wg@ripe.net> wrote:
>
> Dear DB WG,
>
> It came to my attention the RIPE NCC Database does not do validation of
> signed updates. (Other than checking the key is allowed to sign updates
> for object(s) in question)
>
> I got the understanding from writing to DB-WG-Chairs this was a decision
> made years back.
>
> I think is less than optimal from a security perspective an signed
> update (with GPG and/or X509 certs) is not validated against (1) when
> the update was signed (E.g. signing was done 10 minutes ago) and (2)
> that the expiration date for the keys are not validated.
>
> Usually I will expect if I revoke a GPG-key|X509-cert. It cannot be used
> any more. But the RIPE NCC Database does still allow this currently.
> This is relevant in the case I ever lose a private GPG-key|X509-cert to
> less than friendly 3rd-parties. And the lost private GPG-key|X509-cert
> is the one used for signing updates to the database.
>
> What I have in mind. Is the RIPE NCC Database begins verifying validity
> (not revoked and/or expired) of GPG-key|X509-cert used to sign updates with.
>
> Christoffer
>