InterNIC modification

Hi all!

Is it Internic becoming slower in their modifications? We have sent a
modification request twice and until now - nothing has happened....

William

It is not being sent from the address of one of the contacts, so it
will not be automatically processed.

Anything that isn't automatically processed gets printed and thrown
into a big slightly malfunctioning paper shredder. Anything that makes
it through the paper shreader is then looked at and sometimes responded
to. The time that it takes for this to happen is based on the mandatory
one week delay before it is printed just for good luck, and then the
chances of making it through the shredder. Note that their method may
vary slightly from that described above, but the effect is the same.

Your chances at getting any response from hostmaster@internic.net to
something that isn't handled automatically are slim to none in my
experience. Normally, repeated phone calls and followup calls are the
proper way to do this.

I've found that on changes to domains for which I'm already a contact,
setting my authentication to CRYPT-PW works well, causing changes to be
completed within hours.

Note that CRYPT-PW apparently only refers to how the passwords are stored
on the InterNIC's servers; they're sent in plaintext when you e-mail the
form.

Well, you know... no.

I've seen the mail generated when you fill in the webform, and choose
CRYPT-PW. The CGI script encrypts the cleartext password, and that's
what's in the field in the email when it's mailed to you for
forwarding.

Whether they intend for you to cut it out and save it for future
mailings or what I've never been sure...

Cheers,
-- jra

Jay, my friend, I hate to be argumentative, but...

Authorization
0a. (N)ew (M)odify (D)elete.........: M
0b. Auth Scheme.....................: CRYPT-PW
0c. Auth Info.......................: sj.3989.

That is indeed the password associated with my NIC handle. Or was,
anyhow. I've since changed it.

That was in the e-mail sent to me, which was not PGP'd or encrypted in
any way.

This is rather silly. YES, it IS encrypted when you originally set the
password. It IS NOT encrypted in a domain registration form though. It should
be.

For that matter, the OLD password is not encrypted on the contact form
if you are modifying contact information for a certain handle, either.

I guess that is supposed to make it easier to fill in the text file and
mail it, as opposed to going to the web site. But it defeats the whole purpose
of having an encrypted password.

Are people still having trouble with PGP, or has it been fixed?

Then what stops me from finding your original crypt() and
sending that in.

  In the case of what you want, pgp is the correct
solution.

That is indeed the password associated with my NIC handle. Or was,
anyhow. I've since changed it.

That was in the e-mail sent to me, which was not PGP'd or encrypted in
any way.

This is rather silly. YES, it IS encrypted when you originally set the
password. It IS NOT encrypted in a domain registration form though. It should
be.

Just like any security issue, you define what attacks you want to prevent and
what costs you are willing to pay for them. In this case, the attack
prevented by CRYPT-PW is an unauthorized person making changes to a domain,
which was a real problem when this was introduced. The problem was
specifically not that your email containing the password might be
intercepted. If you want that security, you need some digital signature
algorithm, such as PGP.

For that matter, the OLD password is not encrypted on the contact form
if you are modifying contact information for a certain handle, either.

I guess that is supposed to make it easier to fill in the text file and
mail it, as opposed to going to the web site. But it defeats the whole purpose
of having an encrypted password.

I think it does its role exactly as intended - a level of security above
MAIL-FROM (essentially no security) without requiring complicated software
on the user end. If you want complete security, you need some sort of
digital signature, which is precisely why they also offer PGP.

Are people still having trouble with PGP, or has it been fixed?

Don't know, most everything we do is with our role account, which has to be
CRYPT-PW rather than PGP since various programs generate requests
automatically, which would be difficult to do with PGP.

John Tamplin Traveller Information Services
jat@Traveller.COM 2104 West Ferry Way
256/705-7007 - FAX 256/705-7100 Huntsville, AL 35801

Jared, I agree with you and would prefer pgp, but several people on this
list have said that pgp auth is broken.... thus my question "has it been
fixed"... So, for right now, CRYPT-PW seems to be the way to go... it's at
least faster than MAIL-FROM.

> > Note that CRYPT-PW apparently only refers to how the passwords are stored
> > on the InterNIC's servers; they're sent in plaintext when you e-mail the
> > form.
>
> Well, you know... no.
> I've seen the mail generated when you fill in the webform, and choose
> CRYPT-PW. The CGI script encrypts the cleartext password, and that's
> what's in the field in the email when it's mailed to you for
> forwarding.

Jay, my friend, I hate to be argumentative, but...

Authorization
0a. (N)ew (M)odify (D)elete.........: M
0b. Auth Scheme.....................: CRYPT-PW
0c. Auth Info.......................: sj.3989.

That is indeed the password associated with my NIC handle. Or was,
anyhow. I've since changed it.

That was in the e-mail sent to me, which was not PGP'd or encrypted in
any way.

They've changed it, then. When I last used CRYPT-PW to register a
domain, I entered my password into the webform and the mail I was sent
to forward back in had a crypt(2) looking string in that position.

For that matter, the OLD password is not encrypted on the contact form
if you are modifying contact information for a certain handle, either.

The entire operation is pretty teen-age, as fas as I'm concerned.

I guess that is supposed to make it easier to fill in the text file and
mail it, as opposed to going to the web site. But it defeats the whole purpose
of having an encrypted password.

Quite.

Cheers,
-- jra