Plan to discontinue email signing from certain addresses
Dear colleagues, One of the goals of the RIPE NCC is to simplify and streamline our infrastructure and internal processes. Over the years, we have taken great strides in making our infrastructure easier to maintain and more cost effective. However, there are a couple of legacy scripts and tools that are entangled deeply in our workflows and are very hard to phase out on the short term. One of these legacy tools is our ticketing system. The infrastructure we need and the resources it costs is disproportionate to the amount of value that it offers. Migrating away from it in one go is proving to be very complicated. This is why we have decided on a phased approach. One element of the ticketing system that will be affected in the first phase is PGP Authentication: https://www.ripe.net/lir-services/resource-management/contact/pgp-authentica... Signing emails from hostmaster@ripe.net, lir-help@ripe.net, new-lir@ripe.net and enum@ripe.net is one of the first pieces that we need to remove in order to phase out all the legacy software. While we realise that it is a best practice to sign such emails and are aware of the value it offers, we are planning to discontinue email signing from just these addresses starting 1 January 2014. It will allow us to phase out a part of our infrastructure that makes future migration a lot easier, while saving cost in the mean time. Please note that this change will not affect email interaction with the RIPE Database. As soon as we have replaced our current ticketing system, we will re-evaluate email signing. As we may have overlooked some potential issues that certain members of our Community might have if we discontinue this functionality, naturally we are open to your feedback. Kind regards, Alex Band Product Manager RIPE NCC
Hi, On Tue, Apr 09, 2013 at 02:07:19PM +0200, Alex Band wrote:
Signing emails from hostmaster@ripe.net, lir-help@ripe.net, new-lir@ripe.net and enum@ripe.net is one of the first pieces that we need to remove in order to phase out all the legacy software.
I can't see that this would be a step forward. PGP-signed mails were introduced to ensure mails from the NCC could be trusted, and I do not see this requirement as "having gone away". Sorry if that makes your life a bit more tricky - but then, generating PGP signatures in a mail work flow is not rocket science either. Gert Doering -- using mail wherever possible to communicate with the NCC -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
new-lir@ripe.net and enum@ripe.net is one of the first pieces that we need to remove in order to phase out all the legacy software.
I can't see that this would be a step forward.
PGP-signed mails were introduced to ensure mails from the NCC could be trusted, and I do not see this requirement as "having gone away".
I don't think the requirement has gone away, but I am not sure that maintaining PGP signatures in the emails is actually fulfilling it. I would very much like to know if anyone is regularly checking the PGP signatures of tickets in their workflow (and, if that number is very small, whether there are other sensible ways to fulfil this requirement.) Otherwise, PGP signing is just not solving this problem, and keeping it in place only makes sense if we have confidence that this will change on the user side. Usage (current and future) is the only material point here, imo. We should resist the temptation to get into a discussion of relative costs and technology options. Arbitrarily adding more people to that sort of internal business discussion is not likely to make a better decision. Best regards, Dave - -- Dave Wilson, Project Manager HEAnet Limited, Ireland's Education and Research Network 1st Floor, 5 George's Dock, IFSC, Dublin 1 web: www.heanet.ie Registered in Ireland, no 275301 tel: +353-1-660 9040 fax: +353-1-660 3666 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlFkG9AACgkQNFQvoMdXraksNgCfbSR0V0qe3Aat5v5jpWQ1Nu4V puwAoJNBkGxTr/NbfXDuFwhnLby2LKIV =iDLx -----END PGP SIGNATURE-----
Hi Alex,
Signing emails from hostmaster@ripe.net, lir-help@ripe.net, new-lir@ripe.net and enum@ripe.net is one of the first pieces that we need to remove in order to phase out all the legacy software. While we realise that it is a best practice to sign such emails and are aware of the value it offers, we are planning to discontinue email signing from just these addresses starting 1 January 2014. It will allow us to phase out a part of our infrastructure that makes future migration a lot easier, while saving cost in the mean time.
Bad idea. Come on, it can't be that difficult or expensive to add a digital signature to an e-mail. There are command line tools that can do that in a single line, and there is Python code that can do it in ±10! I don't know what software and language you are using, but if adding a PGP signature to outgoing messages is as hard as you describe then you're doing something horribly wrong... - Sander
Not really sure what makes this function so hard to keep in place ? Otrs can do this out of the box and that system isn't legacy and is also free. // Andreas Den 2013-04-09 14:32 skrev Sander Steffann <sander@steffann.nl>:
Hi Alex,
Signing emails from hostmaster@ripe.net, lir-help@ripe.net, new-lir@ripe.net and enum@ripe.net is one of the first pieces that we need to remove in order to phase out all the legacy software. While we realise that it is a best practice to sign such emails and are aware of the value it offers, we are planning to discontinue email signing from just these addresses starting 1 January 2014. It will allow us to phase out a part of our infrastructure that makes future migration a lot easier, while saving cost in the mean time.
Bad idea. Come on, it can't be that difficult or expensive to add a digital signature to an e-mail. There are command line tools that can do that in a single line, and there is Python code that can do it in ±10! I don't know what software and language you are using, but if adding a PGP signature to outgoing messages is as hard as you describe then you're doing something horribly wrong...
- Sander
On 9 Apr 2013, at 14:32, Sander Steffann <sander@steffann.nl> wrote:
Hi Alex,
Signing emails from hostmaster@ripe.net, lir-help@ripe.net, new-lir@ripe.net and enum@ripe.net is one of the first pieces that we need to remove in order to phase out all the legacy software. While we realise that it is a best practice to sign such emails and are aware of the value it offers, we are planning to discontinue email signing from just these addresses starting 1 January 2014. It will allow us to phase out a part of our infrastructure that makes future migration a lot easier, while saving cost in the mean time.
Bad idea. Come on, it can't be that difficult or expensive to add a digital signature to an e-mail. There are command line tools that can do that in a single line, and there is Python code that can do it in ±10! I don't know what software and language you are using, but if adding a PGP signature to outgoing messages is as hard as you describe then you're doing something horribly wrong...
Thanks for the quick feedback everyone. Of course we would have liked to avoid this situation altogether, but anyone who is familiar with phasing out legacy systems knows what kind of unfortunate obstacles can arise. Allow me to explain this in a little more detail, at the risk of ending up in a bikeshedding discussion. :) Currently, tickets are being signed by a very old server, running an unsupported legacy OS and GNUPG1. In the beginning of the year, we tried phasing this server out and handle signing from one of our standard platforms running GNUPG2. That box signs emails very well, however our legacy ticketing refuses to play nice with it. We spent many, many hours on getting it our ticketing system to behave, but to no avail. The result was that we rolled back to the old solution, followed by this announcement: http://www.ripe.net/ripe/mail/archives/ncc-services-wg/2013-January/001968.h... The proposal to discontinue ticket signing would be a temporary measure to allow an easier transition. That's all we're asking for. After we have migrated to a new platform, of course we can re-install the signing of e-mails if this is desired by the Community. Some of you have asked for a time indication for this transition period, but that is very hard to predict at this time as we have yet to decide on a new ticketing system and implementation plan. If the membership feels that a having any period, no matter how short, without these emails being signed is unacceptable then we will have to return with an alternative solution. Again, your feedback is very valuable in helping us with our planning. Please let me know if you have any questions. Cheers, -Alex
On 09/04/2013 15:59, Alex Band wrote:
The proposal to discontinue ticket signing would be a temporary measure to allow an easier transition. That's all we're asking for.
Much as I was enjoying munching popcorn while sitting on the sidelines, this seems like a reasonable proposal. Nick
Hi, On Tue, Apr 09, 2013 at 04:24:18PM +0100, Nick Hilliard wrote:
On 09/04/2013 15:59, Alex Band wrote:
The proposal to discontinue ticket signing would be a temporary measure to allow an easier transition. That's all we're asking for.
Much as I was enjoying munching popcorn while sitting on the sidelines, this seems like a reasonable proposal.
+1 Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279
On 09/04/2013 15:59, Alex Band wrote:
Thanks for the quick feedback everyone. Of course we would have liked to avoid this situation altogether, but anyone who is familiar with phasing out legacy systems knows what kind of unfortunate obstacles can arise. Allow me to explain this in a little more detail, at the risk of ending up in a bikeshedding discussion. :)
Currently, tickets are being signed by a very old server, running an unsupported legacy OS and GNUPG1. In the beginning of the year, we tried phasing this server out and handle signing from one of our standard platforms running GNUPG2. That box signs emails very well, however our legacy ticketing refuses to play nice with it. We spent many, many hours on getting it our ticketing system to behave, but to no avail. The result was that we rolled back to the old solution, followed by this announcement:
http://www.ripe.net/ripe/mail/archives/ncc-services-wg/2013-January/001968.h...
The proposal to discontinue ticket signing would be a temporary measure to allow an easier transition. That's all we're asking for.
That sounds fine to me.... next time try asking your management to allow you to say that straight out ;-) All the best Nigel
Hi Alex,
Currently, tickets are being signed by a very old server, running an unsupported legacy OS and GNUPG1. In the beginning of the year, we tried phasing this server out and handle signing from one of our standard platforms running GNUPG2. That box signs emails very well, however our legacy ticketing refuses to play nice with it. We spent many, many hours on getting it our ticketing system to behave, but to no avail. The result was that we rolled back to the old solution, followed by this announcement:
http://www.ripe.net/ripe/mail/archives/ncc-services-wg/2013-January/001968.h...
The proposal to discontinue ticket signing would be a temporary measure to allow an easier transition. That's all we're asking for.
Ah, you should have said so. Transitions and migrations are always difficult. I have no problem when it is just a temporary interruption.
After we have migrated to a new platform, of course we can re-install the signing of e-mails if this is desired by the Community. Some of you have asked for a time indication for this transition period, but that is very hard to predict at this time as we have yet to decide on a new ticketing system and implementation plan.
That is a bit unfortunate. Please keep us informed about progress, to avoid any more unnecessary surprises :-) And maybe we need a discussion on whether PGP signing is the appropriate tool for the requirements. I have the feeling that not many people check the signatures. But that is a different discussion. Thank you for providing some transparency here and explaining the rough roadmap. Keep doing that in the future :-) Cheers, Sander
The proposal to discontinue ticket signing would be a temporary measure to allow an easier transition. That's all we're asking for.
Fully agree with this.
And maybe we need a discussion on whether PGP signing is the appropriate tool for the requirements. I have the feeling that not many people check the signatures. But that is a different discussion.
Fully agree with this. :-) Dave -- Dave Wilson, Project Manager HEAnet Limited, Ireland's Education and Research Network 1st Floor, 5 George's Dock, IFSC, Dublin 1 web: www.heanet.ie Registered in Ireland, no 275301 tel: +353-1-660 9040 fax: +353-1-660 3666
On 04/09/13 16:59, Alex Band wrote:
http://www.ripe.net/ripe/mail/archives/ncc-services-wg/2013-January/001968.h...
The proposal to discontinue ticket signing would be a temporary measure to allow an easier transition. That's all we're asking for.
After we have migrated to a new platform, of course we can re-install the signing of e-mails if this is desired by the Community.
That sounds great. -- Marco
On Tue, Apr 9, 2013 at 2:07 PM, Alex Band <alexb@ripe.net> wrote:
Signing emails from hostmaster@ripe.net, lir-help@ripe.net, new-lir@ripe.net and enum@ripe.net is one of the first pieces that we need to remove in order to phase out all the legacy software. While we realise that it is a best practice to sign such emails and are aware of the value it offers, we are planning to discontinue email signing from just these addresses starting 1 January 2014. It will allow us to phase out a part of our infrastructure that makes future migration a lot easier, while saving cost in the mean time.
Without specific data and hard numbers, it's hard to quantify how much money and effort RIPE NCC thinks it may save. Unless we are speaking of incredibly high numbers, I fail to see how not signing email is a good idea. Especially since you are giving a start date, not an end date. I strongly agree with Gert and Sander that this seems to be a bad idea. Richard
On Tue, Apr 09, 2013 at 02:07:19PM +0200, Alex Band wrote:
Signing emails from hostmaster@ripe.net, lir-help@ripe.net, new-lir@ripe.net and enum@ripe.net is one of the first pieces that we need to remove in order to phase out all the legacy software. While we realise that it is a best practice to sign such emails and are aware of the value it offers, we are planning to discontinue email signing from just these addresses starting 1 January 2014. It will allow us to phase out a part of our infrastructure that makes future migration a lot easier, while saving cost in the mean time.
it isn't obvious to me whether this is a transitional step and what the expected duration would be. That said, reducing authentication appears an odd signal to me, the technical/operational background of which I'd rather understand in more depth. -Peter
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/09/13 14:07, Alex Band wrote:
https://www.ripe.net/lir-services/resource-management/contact/pgp-authentica...
Signing emails from hostmaster@ripe.net, lir-help@ripe.net, new-lir@ripe.net and enum@ripe.net is one of the first pieces that we need to remove in order to phase out all the legacy software.
But why? How hard can it be to sign your outgoing mail? Sounds like a joke :-) Is it even you, Alex? There's no way of telling.... Perhaps it's an idea for RIPE to introduce DKIM and DMARC? And hopefully leave PGP as it is. Regards, - -- Marco -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlFkFjIACgkQ0dvyGJ94G1JrUACeP2Md/y+bJ4qF2MGmK5NxXYus dIQAoIKSy5abeiV+0PIO2cw7iKPwZ9I5 =3ZJB -----END PGP SIGNATURE-----
participants (10)
-
Alex Band -
Andreas Larsen -
Dave Wilson -
Gert Doering -
Marco Davids (SIDN) -
Nick Hilliard -
Nigel Titley -
Peter Koch -
Richard Hartmann -
Sander Steffann