Hm... After failing to find a press release about this on the NSI web site,
I decided found the following article on SecurityFocus:
http://www.securityfocus.com/news/54
After reading it, I think there must have been some misunderstanding on the
part of the person who wrote the article Dave is referring to (since no link
was provided, it's hard to say). The above article implies that the
CRYPT-PW and PGP methods will remain, and that the added verification e-mail
is an attempt at making the MAIL-FROM method slightly more difficult to
exploit. Given that it is the default, and the most common method out
there, I'd say this is a reasonable thing to do. No mention is made
anywhere of getting rid of the CRYPT-PW and PGP authentication methods.
Where were you reading this Dave?
Nathan
-----Original Message-----
X-Loop: openpgp.net
From: Dave Del Torto [mailto:[EMAIL PROTECTED]]
Sent: Sunday, July 02, 2000 10:36 PM
To: Openpgp
Cc: Lucky Green; [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: Has RSADSI Lost their mind?
An amusing if merely semi-related followup...
Network Solutions, Inc. (recently acquired by VeriSign for umpteen
hundreds of Billions of $, and a now major user of RSADSI's "*-SAFE"
toolkits... hmmm...) announced on 29 June that (as of 07 July, plenty
of lead time for all you multidomain admins, right?) they're removing
virtually all handle and domain security, because: "Security for our
customers has always been a top priority at Network Solutions."
Uh... come again with that undoubleplusgoodbarspeak, please?
Now, if you can wipe the tears of joy from your eyes, you'll see this
means that the two "secure methods" for domain management they've
ostensibly been offering for years, i.e. "CRYPT-PW" (which was always
suspect anyway: they left some chars of your hashed "password" in the
clear to make ::mumble-mumble:: easier for their Customer Service
people), and "PGP" (which never really worked anyway as you know if
you're one of the ~6,000 cypherpunks who tried to log a key and use
it), are going to be ratcheted down to "MAIL-FROM".
Yes, that's right, Ladies & Germs: MAIL-FROM! And yes, this applies
to all domains they have in their registry, because it's the new
"enhancement" to their Guardian service. If you're got a minim of
grey matter left in your cranium, you can probably guess that this
means they're soon going to offer another "enhancement" (this one you
pay for) involving X.509v3 keys...
But! Don't despair yet! Because meanwhile (...tan-tara-taaaah!):
>>..."NSI is enhancing "Mail-From" with an additional e-mail security
>>check. Specifically, NSI will e-mail a validation request to the
>>specific administrative and technical contact listed for a domain
>>name before making any modification to that domain name." ...
Yep, you've got the idea now: if you want to hijack a domain from an
NSI customer, boy, you'd best be some kinda ubergeek, 'cause you'll
be forced to spoof the email _twice_. Ouch! They're really puttin'
the screws on them nasty "hacker" types, huh? Whew!
If you were confused by this (and when was a message from NSI ever
not confusing?), naturally you'll go to their website to learn more:
>>To make modifications easier, we provided easy-to-follow
>>instructions on our web site at:
>><http://info.networksolutions.com/go/h/security/guardian/>
...where, among the gobbeldygook, in FAQ#4 "What is PGP?", they have
a moribund hyperlink in the explanation to the "PGP website."
Ba-dum-dum, plink! OK, so this doesn't really matter _now_, and maybe
you had to be there back in the day to really appreciate the humor of
this, but after 4+ years of trying to get N$I to make the PGP option
work, _I_ found this kinda funny myself...
dave
PS: <http://www.opensrs.org> ...'nuff said.
___________________________________________________________________________
"And now: we'll be back after a few subliminal messages from our sponsors."
