* Edward Shryane
However, if someone leaves a company, any credentials they had knowledge of should be changed. They should not have continued access to make updates on behalf of the company.
Hi again Ed, This is also true for PGP keys and X.509 certificates. If the policy going forward is that all database updates should be traceable to a specific individual user account, these authentication methods would also need to be retired, at least if you care about consistency. That said, for all of these the (ex-)employees are not expected to retain a copy of the secret material, be it an API key, a private PGP key, or a X.509 RSA key. The secret typically gets copied into the system that needs it right after it was created, and then promptly forgotten by the employee. It's of course fine if an organisation has a policy to change every single secret their employees have ever been in contact with every time an employee leaves just to be on the safe side, but I don't think it is something the RIPE NCC should enforce for every LIR. Tore