[19837] in North American Network Operators' Group
Re: InterNIC modification
daemon@ATHENA.MIT.EDU (Jared Mauch)
Mon Sep 28 19:53:32 1998
Date: Mon, 28 Sep 1998 19:50:01 -0400
From: Jared Mauch <jared@puck.nether.net>
To: "Steven J. Sobol" <sjsobol@nacs.net>,
"Jay R. Ashworth" <jra@scfn.thpl.lib.fl.us>
Cc: nanog@merit.edu
In-Reply-To: <19980928191825.35869@shell.nacs.net>; from Steven J. Sobol on Mon, Sep 28, 1998 at 07:18:25PM -0400
On Mon, Sep 28, 1998 at 07:18:25PM -0400, Steven J. Sobol wrote:
> On Mon, Sep 28, 1998 at 05:15:30PM -0400, Jay R. Ashworth wrote:
> > On Sun, Sep 27, 1998 at 11:14:42PM -0400, Steven J. Sobol wrote:
> > > I've found that on changes to domains for which I'm already a contact,
> > > setting my authentication to CRYPT-PW works well, causing changes to be
> > > completed within hours.
> > >
> > > Note that CRYPT-PW apparently only refers to how the passwords are stored
> > > on the InterNIC's servers; they're sent in plaintext when you e-mail the
> > > form.
> >
> > Well, you know... no.
> > I've seen the mail generated when you fill in the webform, and choose
> > CRYPT-PW. The CGI script encrypts the cleartext password, and that's
> > what's in the field in the email when it's mailed to you for
> > forwarding.
>
> Jay, my friend, I hate to be argumentative, but...
>
> Authorization
> 0a. (N)ew (M)odify (D)elete.........: M
> 0b. Auth Scheme.....................: CRYPT-PW
> 0c. Auth Info.......................: sj.3989.
>
> That is indeed the password associated with my NIC handle. Or was,
> anyhow. I've since changed it.
>
> That was in the e-mail sent to me, which was not PGP'd or encrypted in
> any way.
>
> This is rather silly. YES, it IS encrypted when you originally set the
> password. It IS NOT encrypted in a domain registration form though. It should
> be.
Then what stops me from finding your original crypt() and
sending that in.
In the case of what you want, pgp is the correct
solution.
