[ARIN-consult] Consultation on API Key Handling

Chris Woodfield chris at semihuman.com
Thu Aug 8 19:27:23 EDT 2024


I’m working on the assumption that the implementation will be no more complex than an "Authorization: Token XXXX” HTTP header, which is a well-established pattern for API authentication. If the implementation were to be more complex than that, I’d raise an objection as well.

-C

> On Aug 8, 2024, at 15:58, William Herrin <bill at herrin.us> wrote:
> 
> On Thu, Aug 8, 2024 at 8:20 AM ARIN <info at arin.net> wrote:
>> We are seeking community input on the priority for updating the methods for the handling of API keys in ARIN’s RESTful provisioning system.
> 
> In my opinion...
> 
> Unless ARIN intends to release and maintain high-quality client
> software libraries in each of the top 20 programming languages, it
> should avoid security designs more complex than sharing a plain-text
> secret within an HTTPS session. The client implementation for a
> complex security scheme is pretty much always challenging and the
> documentation is never good enough to get things to match byte for
> byte as the security scheme tends to require.
> 
> Regards,
> Bill Herrin
> 
> 
> 
> -- 
> William Herrin
> bill at herrin.us
> https://bill.herrin.us/
> _______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN Consult Mailing
> List (ARIN-consult at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-consult Please contact the ARIN Member Services
> Help Desk at info at arin.net if you experience any issues.



More information about the ARIN-consult mailing list