[43704] in North American Network Operators' Group
Re: NetSol's PGP auth ... and the road not taken
daemon@ATHENA.MIT.EDU (Len Sassaman)
Tue Oct 23 20:18:36 2001
Date: Tue, 23 Oct 2001 17:17:34 -0700 (PDT)
From: Len Sassaman <rabbi@quickie.net>
To: "J.D. Falk" <jdfalk@cybernothing.org>
Cc: <nanog@merit.edu>
In-Reply-To: <20011022153834.K86121@cybernothing.org>
Message-ID: <Pine.LNX.4.30.QNWS.0110231715100.20295-100000@thetis.deor.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
I posted a serious vulnerability in the NetSol PGP-AUTH system to BugTraq
a while back. If you search the archives, you'll find it. PGP-AUTH is
provides effectively no authentication whatsoever, as far as I can tell.
It's definately not worth the hassel one has to go through to get it to
function properly.
On Mon, 22 Oct 2001, J.D. Falk wrote:
>
> On 10/22/01, Joe Rhett <jrhett@isite.net> wrote:
>
> > > i've been trying to add a pgp key to the verisign/netsol database for the
> > > past two weeks. i've sent four messages, opened three web help requests,
> > > and spent three hours on the phone with their helpdesk. they know less
> > > than their customers about their own procedures and web documentation for
> > > adding keys for PGP guardian auth.
> >
> > Don't waste your time. We had PGP auth working for the last 6 years. It
> > will slow down any change you want to make by 3-5 days. Around 30% will get
> > rejected for no reason whatsoever, and much more fun stuff.
>
> I've had PGP AUTH broken for the last 6 years, and had the same
> kind of experience. I just finished an ENTIRE MONTH of calling
> a couple of times a week to get a simple host record fixed. In
> one call, somebody changed me from PGP AUTH to MAIL-FROM without
> effectively confirming that I was really me.
>
> VeriSign needs to cut their losses and start over.
>
> --
> J.D. Falk "you can bomb the world to pieces,
> <jdfalk@cybernothing.org> but you can't bomb it into peace"
> -- Michael Franti
>
--
Len Sassaman
Security Architect | "Now it's all change --
Technology Consultant | It's got to change more."
|
http://sion.quickie.net | --Joe Jackson
