On Mon, 28 Sep 1998, Steven J. Sobol wrote:
That is indeed the password associated with my NIC handle. Or was, anyhow. I've since changed it.
That was in the e-mail sent to me, which was not PGP'd or encrypted in any way.
This is rather silly. YES, it IS encrypted when you originally set the password. It IS NOT encrypted in a domain registration form though. It should be.
Just like any security issue, you define what attacks you want to prevent and what costs you are willing to pay for them. In this case, the attack prevented by CRYPT-PW is an unauthorized person making changes to a domain, which was a real problem when this was introduced. The problem was specifically not that your email containing the password might be intercepted. If you want that security, you need some digital signature algorithm, such as PGP.
For that matter, the OLD password is not encrypted on the contact form if you are modifying contact information for a certain handle, either.
I guess that is supposed to make it easier to fill in the text file and mail it, as opposed to going to the web site. But it defeats the whole purpose of having an encrypted password.
I think it does its role exactly as intended - a level of security above MAIL-FROM (essentially no security) without requiring complicated software on the user end. If you want complete security, you need some sort of digital signature, which is precisely why they also offer PGP.
Are people still having trouble with PGP, or has it been fixed?
Don't know, most everything we do is with our role account, which has to be CRYPT-PW rather than PGP since various programs generate requests automatically, which would be difficult to do with PGP. John Tamplin Traveller Information Services jat@Traveller.COM 2104 West Ferry Way 256/705-7007 - FAX 256/705-7100 Huntsville, AL 35801