Hi HÃ¥vard, All,
In the whois server, if a maintainer object *only* contains auth: lines using currently deemed to be secure methods (currently PGP or X.509), then reveal all the auth: lines to the whois client. Otherwise, if the maintainer object contains one or more lower-security auth: attribute (currently MD5-based passwords), filter out *all* the auth: attributes.
I would like to see this implemented, as it involves the least amount of disruption to our existing practices. Indeed, when I first read the documentation of the change, I thought this was in fact how the RIPE-NCC had planned to implement it, but I a closer reading when experience seemed to show otherwise proved me wrong. There is one minor drawback with it, which I feel I could live with (as I don't have any MD5 hashs that I know of to worry about). The change would make it possible to identify mntner objects that have weak MD5 protection, by excluding any that show any auth: attributes. If the actual hash is not disclosed though, I think the risk is minimal for the gain. Best regards, Brian. -- Brian Boyle, Network Services Manager HEAnet Limited, Ireland's Education and Research Network 1st Floor, 5 George's Dock, IFSC, Dublin 1 Registered in Ireland, no 275301 tel: +353-1-660 9040 fax: +353-1-660 3666 web: http://www.heanet.ie/