NetSol's PGP auth ... and the road not taken
Len Sassaman
rabbi at quickie.net
Wed Oct 24 00:17:34 UTC 2001
I posted a serious vulnerability in the NetSol PGP-AUTH system to BugTraq
a while back. If you search the archives, you'll find it. PGP-AUTH is
provides effectively no authentication whatsoever, as far as I can tell.
It's definately not worth the hassel one has to go through to get it to
function properly.
On Mon, 22 Oct 2001, J.D. Falk wrote:
>
> On 10/22/01, Joe Rhett <jrhett at isite.net> wrote:
>
> > > i've been trying to add a pgp key to the verisign/netsol database for the
> > > past two weeks. i've sent four messages, opened three web help requests,
> > > and spent three hours on the phone with their helpdesk. they know less
> > > than their customers about their own procedures and web documentation for
> > > adding keys for PGP guardian auth.
> >
> > Don't waste your time. We had PGP auth working for the last 6 years. It
> > will slow down any change you want to make by 3-5 days. Around 30% will get
> > rejected for no reason whatsoever, and much more fun stuff.
>
> I've had PGP AUTH broken for the last 6 years, and had the same
> kind of experience. I just finished an ENTIRE MONTH of calling
> a couple of times a week to get a simple host record fixed. In
> one call, somebody changed me from PGP AUTH to MAIL-FROM without
> effectively confirming that I was really me.
>
> VeriSign needs to cut their losses and start over.
>
> --
> J.D. Falk "you can bomb the world to pieces,
> <jdfalk at cybernothing.org> but you can't bomb it into peace"
> -- Michael Franti
>
--
Len Sassaman
Security Architect | "Now it's all change --
Technology Consultant | It's got to change more."
|
http://sion.quickie.net | --Joe Jackson
More information about the NANOG
mailing list