[15472] in North American Network Operators' Group
Re: Internic PGP Auth busted
daemon@ATHENA.MIT.EDU (John Caruso)
Mon Feb 23 18:01:16 1998
From: John Caruso <caruso@cnet.com>
To: nanog@merit.edu
Date: Mon, 23 Feb 1998 14:47:29 -0800 (PST)
In-Reply-To: <Pine.LNX.3.96dg4.980223124535.8561E-100000@twinlark.arctic.org> from "Dean Gaudet" at Feb 23, 98 12:51:28 pm
> I posted a rant about this to bugtraq almost a year ago. In the case
> where it happened to me I was already annoyed because an update that had
> been NAKed several times was applied when a single ACK was received over a
> month later (sent by a former employee who happened to have the month old
> NOTIFY). And then when I called them to ask them WTF they requested that
> I fax them some letterhead to "prove" that I was who I said I was.
This is unfortunately standard. I've seen unsigned modifications go
through for PGP-protected domains, and I've seen correctly signed
modifications fail for the same domains. In fact our standard practice
now is "send it until it works", since inevitably a modification which
fails (incorrectly) one time will work if you just try it enough times.
The funniest (?) part is when someone can put through a modification
with no authentication whatsoever, then when you call to fix the damage,
the InterNIC demands letterhead/CEO signatures/blood samples/etc.
--
John Caruso, Director, System/Network Administration
CNET: The Computer Network Email: caruso@cnet.com
150 Chestnut Street Phone: 415.395.7805 x1310
San Francisco, CA 94111 Fax: 415.623.2458
