Dear all, First of all, I would like to thank you for the feedback provided. This is very much appreciated and helps us in deciding the way forward. Second, I understand the impact that these requirements can have on you and the inconvenience that they can cause. We need to find the right balance between security and ease of use, and sometimes this can be a difficult puzzle to solve. Now, answering some of the points raised. About OAuth2: we have indeed considered it and we do plan to support this in the future. It has a number of useful features as has been mentioned here. However, it was not chosen now because we want a straightforward replacement for passwords to help our users migrate more easily. Adding support for OAuth2 flows on the client is not as straightforward when compared to API keys. Also, we didn’t want to divide our focus internally by adding support for two different authentication methods simultaneously. About the expiry time for the API keys: we chose a maximum of one year expiry of API keys as a trade-off between security and ease of use. A long validity period is convenient but increases the risk the API key is exposed. In addition, a procedure to rollover the API key is necessary no matter the validity period. However, the longer the validity, the less frequently this procedure is performed. This can lead to a risk that staff will be unfamiliar with doing it, which may result in downtime if the procedure is not followed correctly. Before any API key expires, the RIPE NCC will notify the user via the website and by email, giving them time to perform a rollover. An organisation can also track the expiration themselves as part of their rollover procedure. Finally, we will not encourage the sharing of RIPE NCC Access accounts to share credentials. As already mentioned, it is a better practice for individuals to manage their own credentials separately. If you have further questions please let me know. Kind regards, Felipe Victolla Silveira Chief Technology Officer RIPE NCC On Fri, 11 Oct 2024 at 00:38, Job Snijders <job@sobornost.net> wrote:
Dear Felipe, RIPE NCC,
Thank you for your efforts to improve account security for LIRS. I appreciate the approach to tie API keys to individual RIPE NCC Access accounts. I imagine the approach might help improve employee off-boarding processes.
I want to comment on one specific aspect that I'm not entirely comfortable with:
On Wed, Oct 09, 2024 at 02:28:26PM +0200, Felipe Silveira wrote:
Secondly, we will implement mandatory API key expiration dates. We will allow the user to choose the expiry date when creating a new key, but expiry cannot be more than one year. We will notify the RIPE NCC Access user in advance by email and on our web interface(s), if any of their API keys are due to expire soon.
I don't see the security advantage here. The "expires after a year"-approach means that once a year API users need to copy private key material from RIPE portal to internal tooling, get the change approved, test the results, etc.
Such events are are both a security sensitive operation and also a potential operational problem when the API key isn't replaced in time. I fear I see a potential for folks ending up working under time pressure. If the expiry happens to coincidence with a change freeze it'll be unwelcome.
Introducing an ability which allows users to set expiry dates on API keys seems fine, but the maximum expiry of 1 year seems to short. I'd prefer it if the expiry moment is left as a decision to the user.
Kind regards,
Job