[ARIN-consult] Consultation on API Key Handling
Richard Laager
rlaager at wiktel.com
Thu Aug 8 12:52:19 EDT 2024
On 2024-08-08 10:20, ARIN wrote:
> ARIN is seeking feedback from the community on a potential improvement to increase the security for Application Programming Interface (API) key handling, specifically
> allowing the option to pass API keys in the header of a Restful Payload
Having that option seems to be pretty typical these days. I support ARIN
adding this option.
> and to use IP address range bounding to limit the validity of an API key
Having that option potentially increases security. I support ARIN adding
this option.
Whether it should be required to limit by IP is another question. It
doesn't sound like ARIN is proposing to require that. If I were ARIN, I
probably would not require that, at least not initially. As a user, for
my use cases, requiring IP limitation would be fine, though, so I
personally wouldn't object.
> When the API key is included in the payload, it is encrypted which increases the security of these programmatic transactions with ARIN systems.
I don't understand this. What payload encryption is being referenced?
> The current system relies on the security of the connection between the networks that transport these plain text API keys.
The current system allows HTTPS. So, yes, you rely on the security of
the connection, which is HTTPS. That is not a problem.
> How urgent is the need for ARIN to bring its API key handling in line with the current best practices?
It doesn't seem super urgent. But it seems pretty trivial to do. The
consultation will take more time than implementing it.
> By adding functionality to allow the API keys to be shared as a header parameter, ARIN would create an option for customers who prefer to encrypt their API keys.
Headers and body are equally encrypted when using HTTPS, so I do not
understand this sentence.
--
Richard
More information about the ARIN-consult
mailing list