3) Using PGP authentication (instead of md5 and CRYPT-PW)
In addition to MD5, the AFRINIC whois database supports PGP for authenticating whois database updates. In contrast to MD5, PGP provides stronger encryption techniques and guarantees that the signed update message was not tampered with. It is works by using a pair of keys generated by the user. The public key is uploaded to the whois database inside a key-cert object, and the user's email updates are signed using the private key on the user's device.
Since most whois database updates are submitted by e-mail, the only way to guarantee security is by using PGP, which AFRINIC strongly recommends to our members and the community.
This is because with the MD5 method, updates submitted by email are authenticated by the user inserting a clear text password in the e-mail body. Despite using technologies like SSL and TLS, AFRINIC has no control over all the stages that an e-mail goes through before final delivery to our whois server.
Combining different auth mechanisms
The whois database supports use of multiple authorization mechanisms in one mntner object. If an object is protected with a mntner that contains multiple md5 passwords and PGP keys, any one of the correct passwords or PGP-signed emails will authenticate. The mntner object captured below contains two "auth" attributes for both md5 and PGP authentication mechanisms. Either of the attributes can be used to authorize updates.
descr: Maintainer Toto telecom
auth: MD5-PW $1$09nxAH88$ZaDWuXGdly2boQi69atbN.