[ARIN-consult] Consultation on API Key Handling

[Richard Laager]

On 2024-08-08 10:20, ARIN wrote:
> ARIN is seeking feedback from the community on a potential improvement to increase the security for Application Programming Interface (API) key handling, specifically

> allowing the option to pass API keys in the header of a Restful Payload

Having that option seems to be pretty typical these days. I support ARIN 
adding this option.

> and to use IP address range bounding to limit the validity of an API key

Having that option potentially increases security. I support ARIN adding 
this option.

Whether it should be required to limit by IP is another question. It 
doesn't sound like ARIN is proposing to require that. If I were ARIN, I 
probably would not require that, at least not initially. As a user, for 
my use cases, requiring IP limitation would be fine, though, so I 
personally wouldn't object.

> When the API key is included in the payload, it is encrypted which increases the security of these programmatic transactions with ARIN systems.

I don't understand this. What payload encryption is being referenced?

> The current system relies on the security of the connection between the networks that transport these plain text API keys.

The current system allows HTTPS. So, yes, you rely on the security of 
the connection, which is HTTPS. That is not a problem.

> How urgent is the need for ARIN to bring its API key handling in line with the current best practices?

It doesn't seem super urgent. But it seems pretty trivial to do. The 
consultation will take more time than implementing it.

> By adding functionality to allow the API keys to be shared as a header parameter, ARIN would create an option for customers who prefer to encrypt their API keys.

Headers and body are equally encrypted when using HTTPS, so I do not 
understand this sentence.

-- 
Richard