North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: InterNIC modification
- From: John A. Tamplin
- Date: Mon Sep 28 20:39:31 1998
On Mon, 28 Sep 1998, Steven J. Sobol wrote:
> That is indeed the password associated with my NIC handle. Or was,
> anyhow. I've since changed it.
> That was in the e-mail sent to me, which was not PGP'd or encrypted in
> any way.
> This is rather silly. YES, it IS encrypted when you originally set the
> password. It IS NOT encrypted in a domain registration form though. It should
Just like any security issue, you define what attacks you want to prevent and
what costs you are willing to pay for them. In this case, the attack
prevented by CRYPT-PW is an unauthorized person making changes to a domain,
which was a real problem when this was introduced. The problem was
specifically not that your email containing the password might be
intercepted. If you want that security, you need some digital signature
algorithm, such as PGP.
> For that matter, the OLD password is not encrypted on the contact form
> if you are modifying contact information for a certain handle, either.
> I guess that is supposed to make it easier to fill in the text file and
> mail it, as opposed to going to the web site. But it defeats the whole purpose
> of having an encrypted password.
I think it does its role exactly as intended - a level of security above
MAIL-FROM (essentially no security) without requiring complicated software
on the user end. If you want complete security, you need some sort of
digital signature, which is precisely why they also offer PGP.
> Are people still having trouble with PGP, or has it been fixed?
Don't know, most everything we do is with our role account, which has to be
CRYPT-PW rather than PGP since various programs generate requests
automatically, which would be difficult to do with PGP.
John Tamplin Traveller Information Services
jat@Traveller.COM 2104 West Ferry Way
256/705-7007 - FAX 256/705-7100 Huntsville, AL 35801