Re: InterNIC modification

["Steven J. Sobol" <sjsobol () nacs net>]

On Mon, Sep 28, 1998 at 05:15:30PM -0400, Jay R. Ashworth wrote:
> On Sun, Sep 27, 1998 at 11:14:42PM -0400, Steven J. Sobol wrote:
> > I've found that on changes to domains for which I'm already a contact,
> > setting my authentication to CRYPT-PW works well, causing changes to be
> > completed within hours.
> >
> > Note that CRYPT-PW apparently only refers to how the passwords are stored
> > on the InterNIC's servers; they're sent in plaintext when you e-mail the
> > form.
>
> Well, you know... no.
> I've seen the mail generated when you fill in the webform, and choose
> CRYPT-PW.  The CGI script encrypts the cleartext password, and that's
> what's in the field in the email when it's mailed to you for
> forwarding.

Jay, my friend, I hate to be argumentative, but...

Authorization
0a. (N)ew (M)odify (D)elete.........: M
0b. Auth Scheme.....................: CRYPT-PW
0c. Auth Info.......................: sj.3989.

That is indeed the password associated with my NIC handle. Or was, 
anyhow. I've since changed it.

That was in the e-mail sent to me, which was not PGP'd or encrypted in
any way.

This is rather silly. YES, it IS encrypted when you originally set the
password. It IS NOT encrypted in a domain registration form though. It should
be.

For that matter, the OLD password is not encrypted on the contact form
if you are modifying contact information for a certain handle, either.

I guess that is supposed to make it easier to fill in the text file and
mail it, as opposed to going to the web site. But it defeats the whole purpose
of having an encrypted password.

Are people still having trouble with PGP, or has it been fixed?


-- 

Anyone who spams me will be subject to torture by Jake,
my killer attack hedgehog, and/or Lizzy and Junior, my man-eating iguanas.