Authentication Proposal for RIPE NCC Access
Dear colleagues, In our RIPE NCC Access authentication system, we offer the ability to log in using an X.509 identity certificate instead of a username and password. This functionality was transferred from the legacy authentication system we used to have, without evaluating the value of this feature at the time. Since then, we have encountered several implementation, user interface and support issues surrounding this feature, while it is used by less than 0.7% of the users with a RIPE NCC Access account. Most importantly, the functionality does not actually offer any additional security. This is something that is provided by true two-factor authentication. We would like to propose to put this functionality in maintenance mode, meaning that it would be provided as it is without a service guarantee. Alternatively, it could be removed altogether. This would free us of a maintenance and support burden, meaning that we can spend these resources on other valuable services. If the membership approves, the RIPE NCC could investigate ways to implement true two-factor authentication for RIPE NCC Access. We look forward to hearing your feedback. Kind regards, Alex Band Product Manager RIPE NCC
Hi,
We would like to propose to put this functionality in maintenance mode, meaning that it would be provided as it is without a service guarantee. Alternatively, it could be removed altogether. This would free us of a maintenance and support burden, meaning that we can spend these resources on other valuable services.
I wouldn't mind if it was removed completely.
If the membership approves, the RIPE NCC could investigate ways to implement true two-factor authentication for RIPE NCC Access.
Yes, that would be a much better thing to invest resources in. Cheers, Sander
On 04.12.2013, at 13:58, Sander Steffann <sander@steffann.nl> wrote:
We would like to propose to put this functionality in maintenance mode, meaning that it would be provided as it is without a service guarantee. Alternatively, it could be removed altogether. This would free us of a maintenance and support burden, meaning that we can spend these resources on other valuable services.
I wouldn't mind if it was removed completely.
get rid of it!
If the membership approves, the RIPE NCC could investigate ways to implement true two-factor authentication for RIPE NCC Access.
Yes, that would be a much better thing to invest resources in.
+1, mobile phone short message service comes into my mind best regards, Wolfgang -- Wolfgang Tremmel Director Customer Support DE-CIX Management GmbH | Lindleystrasse 12 | 60314 Frankfurt am Main | Germany | www.de-cix.net Phone +49 69 1730902 26 | Mobile +49 171 8600816 | Fax +49 69 4056 2716 | wolfgang.tremmel@de-cix.net Geschaeftsfuehrer Harald A. Summa | Registergericht AG Koeln HRB 51135
+1, mobile phone short message service comes into my mind
for those of us who are not very local this would be costly randy
On Wed, Dec 04, 2013 at 06:51:48PM +0100, Randy Bush wrote:
+1, mobile phone short message service comes into my mind
for those of us who are not very local this would be costly
Indeed, I'd prefer sometimg like HOTP [1] or TOTP [2]. That way it is cheaper, and I don't depend on a cellphone provider and can use a wide variety of clients on both my cellphone and workstation. Kind regards, Job [1] - http://www.ietf.org/rfc/rfc4226.txt [2] - http://tools.ietf.org/html/rfc6238
Dear ncc-services-wg, Job, I'd like to second this; HOTP and/or TOTP are an excellent choice. Implementations are available for a wide range of mobile platforms. Google Authenticator, for example, supports both on iOS and Android. Many other open and closed source implementations exist for Blackberry, Symbian, and J2ME. Avoid SMS and robo-caller solutions; many places engineers find themselves working from in the real world (data-centers, optical regeneration containers, ...) have no mobile telephony reception. -- Respectfully yours, David Monosov On 12/04/2013 07:00 PM, Job Snijders wrote:
On Wed, Dec 04, 2013 at 06:51:48PM +0100, Randy Bush wrote:
+1, mobile phone short message service comes into my mind
for those of us who are not very local this would be costly
Indeed, I'd prefer sometimg like HOTP [1] or TOTP [2]. That way it is cheaper, and I don't depend on a cellphone provider and can use a wide variety of clients on both my cellphone and workstation.
Kind regards,
Job
[1] - http://www.ietf.org/rfc/rfc4226.txt [2] - http://tools.ietf.org/html/rfc6238
On Wed, 4 Dec 2013, Sander Steffann wrote:
Hi,
We would like to propose to put this functionality in maintenance mode, meaning that it would be provided as it is without a service guarantee. Alternatively, it could be removed altogether. This would free us of a maintenance and support burden, meaning that we can spend these resources on other valuable services.
I wouldn't mind if it was removed completely.
+1. Do we know if these users rely solely on X.509 or do they have other options? Cheers, Daniel Stolpe _________________________________________________________________________________ Daniel Stolpe Tel: 08 - 688 11 81 stolpe@resilans.se Resilans AB Fax: 08 - 55 00 21 63 http://www.resilans.se/ Box 13 054 556741-1193 103 02 Stockholm
Hi Daniel, On 4 Dec 2013, at 14:45, Daniel Stolpe <stolpe@resilans.se> wrote:
On Wed, 4 Dec 2013, Sander Steffann wrote:
Hi,
We would like to propose to put this functionality in maintenance mode, meaning that it would be provided as it is without a service guarantee. Alternatively, it could be removed altogether. This would free us of a maintenance and support burden, meaning that we can spend these resources on other valuable services.
I wouldn't mind if it was removed completely.
+1.
Do we know if these users rely solely on X.509 or do they have other options?
Everybody who has an X.509 certificate for RIPE NCC Access login also has a username and password. You can use either method to log in at all times. Cheers, Alex
On Wed, Dec 4, 2013 at 2:45 PM, Daniel Stolpe <stolpe@resilans.se> wrote:
On Wed, 4 Dec 2013, Sander Steffann wrote:
Hi,
We would like to propose to put this functionality in maintenance mode, meaning that it would be provided as it is without a service guarantee. Alternatively, it could be removed altogether. This would free us of a maintenance and support burden, meaning that we can spend these resources on other valuable services.
I wouldn't mind if it was removed completely.
+1.
Do we know if these users rely solely on X.509 or do they have other options?
I'm only using x509... or think I somehow can remember my password if I try very hard ... and no I haven't been contacted about this before this mail on the subject. ... and really, I don't care That much if it's true two-factor or not, it's the easy of use that is the important factor for me. -- Roger Jorgensen | ROJO9-RIPE rogerj@gmail.com | - IPv6 is The Key! http://www.jorgensen.no | roger@jorgensen.no
Hi, Not using it, so I won't miss it. Two factor auth is on the right direction, so I support it. Regards, George On Wed, Dec 4, 2013 at 1:57 PM, Alex Band <alexb@ripe.net> wrote:
Dear colleagues,
In our RIPE NCC Access authentication system, we offer the ability to log in using an X.509 identity certificate instead of a username and password. This functionality was transferred from the legacy authentication system we used to have, without evaluating the value of this feature at the time.
Since then, we have encountered several implementation, user interface and support issues surrounding this feature, while it is used by less than 0.7% of the users with a RIPE NCC Access account. Most importantly, the functionality does not actually offer any additional security. This is something that is provided by true two-factor authentication.
We would like to propose to put this functionality in maintenance mode, meaning that it would be provided as it is without a service guarantee. Alternatively, it could be removed altogether. This would free us of a maintenance and support burden, meaning that we can spend these resources on other valuable services.
If the membership approves, the RIPE NCC could investigate ways to implement true two-factor authentication for RIPE NCC Access.
We look forward to hearing your feedback.
Kind regards,
Alex Band Product Manager RIPE NCC
On Wed, Dec 04, 2013 at 12:57:26PM +0100, Alex Band wrote:
Most importantly, the functionality does not actually offer any additional security.
could you please elaborate on this assessment?
This is something that is provided by true two-factor authentication.
Sure, _true_ two-factor authentication. I'd assume that since it's only .7%, the X.509 users (of which I am not one) are or have already been targetted directly? -Peter
Hi Peter, On 4 Dec 2013, at 14:54, Peter Koch <pk@DENIC.DE> wrote:
On Wed, Dec 04, 2013 at 12:57:26PM +0100, Alex Band wrote:
Most importantly, the functionality does not actually offer any additional security.
could you please elaborate on this assessment?
The way this system is implemented, an LIR Portal user with admin rights can issue X.509 certificates to users. However, they cannot be forced to use it. Also, a passphrase is optional, meaning that it’s not really two-factor. The result is – as some have pointed out in this thread – that the feature is often used for convenience (i.e. not having to enter a password) rather than offering enhanced security.
This is something that is provided by true two-factor authentication.
Sure, _true_ two-factor authentication.
I'd assume that since it's only .7%, the X.509 users (of which I am not one) are or have already been targetted directly?
No not yet. We first wanted to gauge how the Community feels about the current RIPE NCC Access authentication options and get feedback from both X.509 certificate users and those that don't have them to see if this is functionality we should continue to offer, or whether we should replace it with something better. Depending on the outcome, we would contact all users with a certificate, letting them know what the plan is. I should add that I have already been contacted offline by several users who indicated that they would be fine with seeing it go, especially if it's replaced it with a better solution. Cheers, Alex
* Alex Band wrote:
The way this system is implemented, an LIR Portal user with admin rights can issue X.509 certificates to users. However, they cannot be forced to use it. Also, a passphrase is optional, meaning that it’s not really two-factor.
Whatever you smoke, stop it! Using certificates to authenticate is not and never was a two-factor method. The authentication scheme only proofs the possing of a private key. In which form the key is stored locally is outside of the scheme. You simply can't check this property.
On Wed, Dec 4, 2013 at 12:57 PM, Alex Band <alexb@ripe.net> wrote:
We would like to propose to put this functionality in maintenance mode, meaning that it would be provided as it is without a service guarantee. Alternatively, it could be removed altogether. This would free us of a maintenance and support burden, meaning that we can spend these resources on other valuable services.
If the membership approves, the RIPE NCC could investigate ways to implement true two-factor authentication for RIPE NCC Access.
+1 -- Richard
Subject: [ncc-services-wg] Authentication Proposal for RIPE NCC Access Date: Wed, Dec 04, 2013 at 12:57:26PM +0100 Quoting Alex Band (alexb@ripe.net):
Dear colleagues,
In our RIPE NCC Access authentication system, we offer the ability to log in using an X.509 identity certificate instead of a username and password. This functionality was transferred from the legacy authentication system we used to have, without evaluating the value of this feature at the time.
The only method I use in authenticating towards RIPE NCC systems is PGP signaures on email sent to the autobot. This new-fangled web interface bothers me not. Go ahead and remove X.509, especially if it can be replaced with multifactor auth. As was already mentioned, the phone system is not the most optimal way to do multi-factor. Use HOTP/TOTP, as also was suggested. (But if you ever consider up^W^Wdowngrading from PGP-signed email, I'll raise hell. And behave very badly on the whisky BOF.) /Måns, not representing a LIR. If it matters. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Quick, sing me the BUDAPEST NATIONAL ANTHEM!!
On Wed, Dec 04, 2013 at 12:57:26PM +0100, Alex Band wrote:
In our RIPE NCC Access authentication system, we offer the ability to log in using an X.509 identity certificate instead of a username and password. This functionality was transferred from the legacy authentication system we used to have, without evaluating the value of this feature at the time.
Since then, we have encountered several implementation, user interface and support issues surrounding this feature, while it is used by less than 0.7% of the users with a RIPE NCC Access account. Most importantly, the functionality does not actually offer any additional security. This is something that is provided by true two-factor authentication.
We would like to propose to put this functionality in maintenance mode, meaning that it would be provided as it is without a service guarantee. Alternatively, it could be removed altogether. This would free us of a maintenance and support burden, meaning that we can spend these resources on other valuable services.
Ok for me.
If the membership approves, the RIPE NCC could investigate ways to implement true two-factor authentication for RIPE NCC Access.
I'm glad to hear that. Piotr -- gucio -> Piotr Strzyżewski E-mail: Piotr.Strzyzewski@polsl.pl
Dear all, Am 2013-12-04 12:57, schrieb Alex Band:
We would like to propose to put this functionality in maintenance mode, meaning that it would be provided as it is without a service guarantee. Alternatively, it could be removed altogether. This would free us of a maintenance and support burden, meaning that we can spend these resources on other valuable services.
Totally agree. As far as I am concerned you could remove this feature altogether.
If the membership approves, the RIPE NCC could investigate ways to implement true two-factor authentication for RIPE NCC Access.
Nice. Regards! -- j.hofmüller aka Thesix >-<#!&$@@@? http://users.mur.at/thesix/
Alex, On Wed, 4 Dec 2013 12:57:26 +0100 Alex Band <alexb@ripe.net> wrote:
Since then, we have encountered several implementation, user interface and support issues surrounding this feature, while it is used by less than 0.7% of the users with a RIPE NCC Access account. Most importantly, the functionality does not actually offer any additional security. This is something that is provided by true two-factor authentication.
I'm curious how much access is actually done via X.509? That is to say, the 0.7% of users may be the most active ones, meaning that - for example - 25% of all RIPE NCC Access is done via X.509 authentication. (Or indeed it may be the opposite, with 0.1% of authentication done via X.509 certificates.) I think it is worthwhile getting this information before deciding one way or the other. Cheers, -- Shane
participants (16)
-
Alex Band -
Daniel Stolpe -
David Monosov -
George Giannousopoulos -
Job Snijders -
Jogi Hofmüller -
Lutz Donnerhacke -
Måns Nilsson -
Peter Koch -
Piotr Strzyzewski -
Randy Bush -
Richard Hartmann -
Roger Jørgensen -
Sander Steffann -
Shane Kerr -
Wolfgang Tremmel