Hi Nick,
On 18 Sep 2024, at 17:46, Nick Hilliard <nick@foobar.org> wrote:
Edward Shryane wrote on 18/09/2024 17:39:
In addition to the existing alternatives, we also propose to introduce API keys linked to an SSO account to replace passwords, that is convenient and secure. An API key is an auto-generated string associated with a user account that can be used to authenticate updates on behalf of that user. They are already widely used across the Internet, although by different names (e.g. GitHub Tokens, Google Application Passwords, AWS does use API keys, etc.). Other RIPE NCC services already make use of API keys, for example the LIR Portal and RIPE Atlas.
API keys would be good and it would be great to see them supported.
That said, API keys are plain-text passwords, stored in plain-text on each side. They just happen to be a bit longer than login passwords, and can be implemented to have a more limited authorisation scope, that's all.
Thanks for your feedback. We plan to implement API keys as part of RIPE NCC access and not in the RIPE database, to allow other NCC services to use the same feature, and keep credentials out of the RIPE database. We will store API keys hashed and not plain-text on the server side. Indeed they must be protected on the client side like a password. Indeed we plan to allow API keys to be limited in scope.
So when you're implementing them, can you implement mandatory expiry periods, ala github?
Nick
Features are not final yet as we are discussing internally. Indeed a mandatory expiry period does seem to be an industry best practice for API keys. We need to keep in mind some implications of automatically expiring API keys, e.g. * We should allow a sufficiently long expiry that it doesn't impose a high burden to manually replace keys, balanced against the risk of a key being compromised. * If we don't sufficiently notify users in advance, they may not rotate their key in time, causing automated updates to fail. We plan to warn users by email and in Whois update notification responses. * If we migrate a group of maintainers from passwords to API keys around the same time, it's likely they will expire at the same time. There may be a spike in support requests to help rotate them. However, an expiring key doesn't lock a user out of their RIPE NCC access account, they will still be able to make updates interactively and generate a new API key themselves. Regards Ed Shryane RIPE NCC