Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: InterNIC modification

  • From: John A. Tamplin
  • Date: Mon Sep 28 20:39:31 1998

On Mon, 28 Sep 1998, Steven J. Sobol wrote:

> That is indeed the password associated with my NIC handle. Or was, 
> anyhow. I've since changed it.
> That was in the e-mail sent to me, which was not PGP'd or encrypted in
> any way.
> This is rather silly. YES, it IS encrypted when you originally set the
> password. It IS NOT encrypted in a domain registration form though. It should
> be.

Just like any security issue, you define what attacks you want to prevent and
what costs you are willing to pay for them.  In this case, the attack 
prevented by CRYPT-PW is an unauthorized person making changes to a domain,
which was a real problem when this was introduced.  The problem was 
specifically not that your email containing the password might be 
intercepted.  If you want that security, you need some digital signature
algorithm, such as PGP.

> For that matter, the OLD password is not encrypted on the contact form
> if you are modifying contact information for a certain handle, either.
> I guess that is supposed to make it easier to fill in the text file and
> mail it, as opposed to going to the web site. But it defeats the whole purpose
> of having an encrypted password.

I think it does its role exactly as intended - a level of security above
MAIL-FROM (essentially no security) without requiring complicated software
on the user end.  If you want complete security, you need some sort of
digital signature, which is precisely why they also offer PGP.

> Are people still having trouble with PGP, or has it been fixed?

Don't know, most everything we do is with our role account, which has to be
CRYPT-PW rather than PGP since various programs generate requests 
automatically, which would be difficult to do with PGP.

John Tamplin					Traveller Information Services
jat@Traveller.COM				2104 West Ferry Way
256/705-7007 - FAX 256/705-7100 		Huntsville, AL 35801

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.