Hi, (I'm adding db-wg@ripe.net back into the CC: list) On Thu, Oct 05, 2006 at 01:50:09PM +0400, Potapov Vladislav wrote:

...

From: Gert Doering [mailto:gert@space.net] Changing from CRYPT-PW to MD5-PW doesn't incur any operational changes, and doesn't require key management and crypto of any sort, but *will* improve security. No "operational changes"?

In the day-to-day operation ("sending in mails to change objects to the RIPE DB") going from CRYPT-PW to MD5-PW *will* *not* *change* *anything*. The mail will still contain a "password: <something>" block, just the way this password is hashed in the maintainer object is different.

Let's look at the plan to get an image that it's not so "problemless".

So where exactly *do* you see "problems"? In your mail you speak about "crypto" - which is NOT involved here (except hashing the password) - this proposal is not forcing anybody to go to PGP, just to a different password storing scheme.

I don't speak about RIPE resources which should support this change. About security: there was several opponents of your view already. I'm adding myself to them.

Please get a reality check on what is proposed, and what is proposed as replacement.

...

From: Gert Doering [mailto:gert@space.net] Security issues in the IRR DB impact all of us (like "fake objects, use that to leverage a routing attack"). Let's not say fairy tales about that. I have asked about REAL LIFE problems with the scheme. Nobody has answered.

*Good* security is fixing problems *before* they happen. Like "lock your front door when you leave your house, even if you have never been burglared yet". Gert Doering -- NetMaster -- Total number of prefixes smaller than registry allocations: 98999 SpaceNet AG Mail: netmaster@Space.Net Joseph-Dollinger-Bogen 14 Tel : +49-89-32356-0 D- 80807 Muenchen Fax : +49-89-32356-234