North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Internic PGP Auth busted

  • From: John Caruso
  • Date: Mon Feb 23 18:29:32 1998

> I posted a rant about this to bugtraq almost a year ago.  In the case
> where it happened to me I was already annoyed because an update that had
> been NAKed several times was applied when a single ACK was received over a
> month later (sent by a former employee who happened to have the month old
> NOTIFY).  And then when I called them to ask them WTF they requested that
> I fax them some letterhead to "prove" that I was who I said I was. 

This is unfortunately standard.  I've seen unsigned modifications go
through for PGP-protected domains, and I've seen correctly signed
modifications fail for the same domains.  In fact our standard practice
now is "send it until it works", since inevitably a modification which
fails (incorrectly) one time will work if you just try it enough times.

The funniest (?) part is when someone can put through a modification
with no authentication whatsoever, then when you call to fix the damage,
the InterNIC demands letterhead/CEO signatures/blood samples/etc.

John Caruso, Director, System/Network Administration
CNET: The Computer Network          Email: [email protected]
150 Chestnut Street                 Phone: 415.395.7805 x1310
San Francisco, CA  94111            Fax:   415.623.2458