[7425] in cryptography@c2.net mail archive
Re: Has RSADSI Lost their mind?
daemon@ATHENA.MIT.EDU (Dave Del Torto)
Mon Jul 3 19:55:48 2000
Mime-Version: 1.0
Message-Id: <p0432042ab586bca4dc82@[192.168.248.7]>
In-Reply-To: <14688.58798.731182.243195@desk.crynwr.com>
Date: Mon, 3 Jul 2000 15:26:57 -0700
To: Russell Nelson <nelson@crynwr.com>
From: Dave Del Torto <ddt@openpgp.net>
Cc: ukcrypto@maillist.ox.ac.uk, cypherpunks@openpgp.net, cryptography@c2.net,
CYBERIA-L@LISTSERV.AOL.COM
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
At 3:14 pm -0400 2000-07-03, Russell Nelson wrote:
>Dave Del Torto writes:
>>ostensibly been offering for years, i.e. "CRYPT-PW" (which was
>>always people), and "PGP" (which never really worked anyway ...
>
>crypt-pw never worked either. At least, I could never get it to work.
I tried it once too, and it didn't really work for me either, but the
fact that they hashed all but the first two chars in your "-PW" made
it easy for their CustSvc people to recover over the phone. I once
pressed for an explanation of why this was done, but the contractor
who worked on that was long gone and no-one left seemed to know why
this was even implemented, much less how to automate it. "Guardian"
has always been half-asleep on duty, as far as I can tell.
As for other comments on my reading of NSI's recent security update,
if you think I was wrong, wait three months. All I can say is that,
based on things known to me that I can't talk about, I'm reading
between the lines in Mr. Kyle's email document, sent out on
2000-06-29 (appended). Skeptics will note that the phrase "Customers
who currently use existing Guardian security options do not have to
make any changes at all" does not necessarily imply that the security
options now available to those customers will always be so, and that
the qualifying phrase "until Guardian is updated" may have been
elided by the unnamed persons at NSI.
BTW, I don't know who this Meyer Wolfstone guy is, but I agree with
him about RSADSI. BTW, I'm taking votes for the songlist at the
patent exit party. ;)
dave
_______________________________________________________
"If someone else rules your paper, write another way."
................................. cut here .................................
Date: Thu, 29 Jun 2000 07:49:38 -0400
From: "Network Solutions" <a_VeriSign_company.46@info.nsi-direct.com>
Subject: Important Security Update to Your Account
Dear Customer,
IMPORTANT ACCOUNT ENHANCEMENTS SCHEDULED: SECURITY UPGRADES
MAY REQUIRE ADDITIONAL STEP BEFORE CHANGES ARE MADE
**************************************************
Security for our customers has always been a top priority
at Network Solutions. Now we are taking that even further
as we merge with VeriSign, one of the industry leaders in
Internet security. We all recognize information security is
vital on the Internet, and we want to assure you that we
constantly monitor security and maintain systems that help
protect you and your information. This message is about
changes in our guardian security system.
WHAT DOES THIS MEAN FOR ME?
**************************************************
When you first registered your domain name you may have
selected a security option. You then currently have one
of three Guardian authentication methods: "Mail-From,"
Password (Crypt-PW), and Secure Encryption (PGP).
With our upcoming upgrade, customers who have not yet
selected a security option will be migrated to "Mail-From"
security. Customers who currently use the "Mail-From After
Update" Guardian authentication method will now have to
respond to an e-mail security check before the requested
changes will be implemented. Customers who currently use
existing Guardian security options do not have to make
any changes at all.
WHAT WILL HAPPEN WHEN I REQUEST A CHANGE?
**************************************************
NSI is enhancing "Mail-From" with an additional e-mail
security check. Specifically, NSI will e-mail a validation
request to the specific administrative and technical
contact listed for a domain name before making any
modification to that domain name. This means, if you have
"Mail-From" security, NSI will no longer implement a
requested change until we receive e-mail verification
confirming authorization from either contact. It's an extra
step, but it's worth it to protect your account.
WHEN WILL THIS HAPPEN?
**************************************************
We have scheduled the modification for Saturday, July 8,
2000, so you should check your account information to see
if it is correct. Actually, it's a good idea to check your
account periodically anyway.
To make modifications easier, we provided easy-to-follow
instructions on our web site at:
<http://info.networksolutions.com/go/h/security/guardian/>http://info.networksolutions.com/go/h/security/guardian/
Additionally, we updated the contact form FAQs, which can
be found at:
<http://info.networksolutions.com/go/h/security/contact1/>http://info.networksolutions.com/go/h/security/contact1/
Please note that we continue to enhance security. Future
security plans include the use of VeriSign certificates
for authentication. But don't worry; we will keep you
completely informed about these upcoming changes.
If you have further questions or concerns about this
current security upgrade, please contact our Customer
Service Department at:
<http://info.networksolutions.com/go/h/security/contact2/>http://info.networksolutions.com/go/h/security/contact2/
Sincerely,
F. Michael Kyle
Vice President, Customer Service
Network Solutions(R)
a VeriSign(R) company
Copyright 2000 Network Solutions, Inc. All rights reserved.
