[7427] in cryptography@c2.net mail archive
Re: Has RSADSI Lost their mind?
daemon@ATHENA.MIT.EDU (James H. Cloos Jr.)
Tue Jul 4 14:01:23 2000
To: Dave Del Torto <ddt@openpgp.net>
Cc: Russell Nelson <nelson@crynwr.com>, ukcrypto@maillist.ox.ac.uk,
cypherpunks@openpgp.net, cryptography@c2.net,
CYBERIA-L@LISTSERV.AOL.COM
From: "James H. Cloos Jr." <cloos@jhcloos.com>
In-Reply-To: Dave Del Torto's message of "Mon, 3 Jul 2000 15:26:57 -0700"
Date: 03 Jul 2000 20:51:00 -0500
Message-ID: <m31z1abr3v.fsf@austin.jhcloos.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
>>>>> "Dave" == Dave Del Torto <ddt@openpgp.net> writes:
Dave> I tried it once too, and it didn't really work for me either,
Dave> but the fact that they hashed all but the first two chars in
Dave> your "-PW" made it easy for their CustSvc people to recover over
Dave> the phone.
Hmm. This is different than my experience w/ crypt-pw. Perhaps that
is why it did work for me....
I just used perl -e 'print crypt("foobar","SA"),"\n"' where foobar was
the passwd and SA some two-char salt. What that returned was sent in
the update (or create) form.
BTW -- the real reason for this followup -- if anyone has any good
suggestions for how I should engineer things to accept OpenPGP-
encrypted updates and orders for OpenSRS registrared domains, I'm
all ears.
Plain text form? Or XML? Or ...?
How should I require the keys to be sent in to prevent key spoofing?
(Submission only via the TLS/SSL encrypted, username/passphrase
auth'ed manage CGI seems the easiest way.)
How should the daemon responding to the mail get the passphrase to
decrypt data encrypted to the daemon's public key?
Or is TLS/SSL encrypted HTTP enough?
-JimC
--
James H. Cloos, Jr. <http://jhcloos.com/public_key> 1024D/ED7DAEA6
<cloos@jhcloos.com> E9E9 F828 61A4 6EA9 0F2B 63E7 997A 9F17 ED7D AEA6
Is this post worth two cents? Then goto <http://2cw.org/23>!
