Internic PGP Auth busted
John Caruso
caruso at cnet.com
Mon Feb 23 22:47:29 UTC 1998
> I posted a rant about this to bugtraq almost a year ago. In the case
> where it happened to me I was already annoyed because an update that had
> been NAKed several times was applied when a single ACK was received over a
> month later (sent by a former employee who happened to have the month old
> NOTIFY). And then when I called them to ask them WTF they requested that
> I fax them some letterhead to "prove" that I was who I said I was.
This is unfortunately standard. I've seen unsigned modifications go
through for PGP-protected domains, and I've seen correctly signed
modifications fail for the same domains. In fact our standard practice
now is "send it until it works", since inevitably a modification which
fails (incorrectly) one time will work if you just try it enough times.
The funniest (?) part is when someone can put through a modification
with no authentication whatsoever, then when you call to fix the damage,
the InterNIC demands letterhead/CEO signatures/blood samples/etc.
--
John Caruso, Director, System/Network Administration
CNET: The Computer Network Email: caruso at cnet.com
150 Chestnut Street Phone: 415.395.7805 x1310
San Francisco, CA 94111 Fax: 415.623.2458
More information about the NANOG
mailing list