Hi Peter, > On 19 Sep 2024, at 15:34, Peter Hessler <[email protected]> wrote: > > Hi Ed, WG, > > [speaking as myself, not co-chair] > > In general I like this.
Thank you. > I'll let others discuss their very valid points, but I want to bring up > another. In the "Notification of RIPE Database changes" emails, I'd > love to see an identifier of who and how made the change. Their user > account if it's an SSO, a marker says "MD5" if it's a hashed password. > the PGP key id if it's signed, etc, etc. We already do this if the update is authenticated by SSO or PGP, but not by MD5. We can additionally add "MD5" until it's deprecated, if the DB-WG has no objection ? For example, I see "Changed by SSO account: [email protected]" in some update notifications I received this morning when testing the 1.114 release. > And in the future, an > identifier for which API key or any type of auth so we can internally > identify who made the change. Of course, these identifiers would need > to be visible to the admins of a mntner object. It may be a security risk to reveal information about the API key itself (I will check this internally), but we could return the name of it as defined by the user themselves? At least we can identify which SSO user authenticated the update (either interactively or via an API key). > > IMHO, this would help admins be able to trace which keys are actively in > use and be able to fix their internal processes. > API keys should not be shared but we can investigate how to identify to which SSO account an API key belongs. > I'm looking at a notify email that was sent to us 8 minutes ago, and it > does identify the IP address, but not which auth method was used. > Perhaps the update was authenticated with a password? Regards Ed Shryane RIPE NCC > ----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/db-wg.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
