[arin-tech-discuss] Another option for API and email?

Andy Newton andy at arin.net
Mon Jan 30 12:33:14 EST 2017


Hi Anthony,

The email address associated with an API Key was created for older template systems that could not accommodate the API Key in the email template. Currently, the system allows either a match from the email address or the presence of the API Key but does not force the email templates to contain an API Key if it is from the associated email address.

If you would like us to add a new feature for requiring both the API Key and a matched sending email address, we can contact you to have this formally submitted through the ARIN Consultation and Suggestion Process (ACSP). (https://www.arin.net/participate/acsp/index.html).

You may also be interested in a previously submitted request, ACSP 2011.17 (https://www.arin.net/participate/acsp/suggestions/2011-17.html), which requests the ability to assign more granular access permissions for API Keys.

Thanks for your time.
Andy Newton,
Chief Engineer

On Jan 27, 2017, at 11:37 AM, Delacruz, Anthony B <Anthony.DeLaCruz at CenturyLink.com<mailto:Anthony.DeLaCruz at centurylink.com>> wrote:

I use old school emails and API key on some of my submissions as not all of our ranges are covered by the restful tool we have, internal politics, databases and the such. I have other teams that need to do some updates and considering let them email as well to distribute more work. I don’t want to just give them an api key that seems like once you have the api key then anything is up for grabs and it could be easily shared. I don’t want to make these lower level staff related POC that has caused too much trouble in the past by their lack of understanding to even allow them an arin online account. The option to associate it comes with all these warnings of doom and gloom inside the arin online, though that seems like it adds a measure of security? Now at least only that email can send in request where if anyone has an api key it doesn’t matter what email it comes from they can make changes. Could/should there be an option where both the API key and email must match and both be submitted for the request to be processed? Would that tighten up security? Are there other suggestions as to how to distribute some change ability buy still have measured control? I’ve spent months cleaning up bad records where former staff did completely bad and wrong entries and don’t want to again.
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
_______________________________________________
arin-tech-discuss mailing list
arin-tech-discuss at arin.net<mailto:arin-tech-discuss at arin.net>
http://lists.arin.net/mailman/listinfo/arin-tech-discuss

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-tech-discuss/attachments/20170130/ffea8d07/attachment.html>


More information about the arin-tech-discuss mailing list