Hi Peter, On 4 Dec 2013, at 14:54, Peter Koch <pk@DENIC.DE> wrote:
On Wed, Dec 04, 2013 at 12:57:26PM +0100, Alex Band wrote:
Most importantly, the functionality does not actually offer any additional security.
could you please elaborate on this assessment?
The way this system is implemented, an LIR Portal user with admin rights can issue X.509 certificates to users. However, they cannot be forced to use it. Also, a passphrase is optional, meaning that it’s not really two-factor. The result is – as some have pointed out in this thread – that the feature is often used for convenience (i.e. not having to enter a password) rather than offering enhanced security.
This is something that is provided by true two-factor authentication.
Sure, _true_ two-factor authentication.
I'd assume that since it's only .7%, the X.509 users (of which I am not one) are or have already been targetted directly?
No not yet. We first wanted to gauge how the Community feels about the current RIPE NCC Access authentication options and get feedback from both X.509 certificate users and those that don't have them to see if this is functionality we should continue to offer, or whether we should replace it with something better. Depending on the outcome, we would contact all users with a certificate, letting them know what the plan is. I should add that I have already been contacted offline by several users who indicated that they would be fine with seeing it go, especially if it's replaced it with a better solution. Cheers, Alex