Re: NetSol's PGP auth ... and the road not taken

[Len Sassaman <rabbi () quickie net>]

I posted a serious vulnerability in the NetSol PGP-AUTH system to BugTraq
a while back. If you search the archives, you'll find it. PGP-AUTH is
provides effectively no authentication whatsoever, as far as I can tell.

It's definately not worth the hassel one has to go through to get it to
function properly.

On Mon, 22 Oct 2001, J.D. Falk wrote:

> On 10/22/01, Joe Rhett <jrhett () isite net> wrote:
>
> > > i've been trying to add a pgp key to the verisign/netsol database for the
> > > past two weeks. i've sent four messages, opened three web help requests,
> > > and spent three hours on the phone with their helpdesk. they know less
> > > than their customers about their own procedures and web documentation for
> > > adding keys for PGP guardian auth.
> >
> > Don't waste your time. We had PGP auth working for the last 6 years. It
> > will slow down any change you want to make by 3-5 days. Around 30% will get
> > rejected for no reason whatsoever, and much more fun stuff.
>
>       I've had PGP AUTH broken for the last 6 years, and had the same
>       kind of experience.  I just finished an ENTIRE MONTH of calling
>       a couple of times a week to get a simple host record fixed.  In
>       one call, somebody changed me from PGP AUTH to MAIL-FROM without
>       effectively confirming that I was really me.
>
>       VeriSign needs to cut their losses and start over.
>
> --
> J.D. Falk                                 "you can bomb the world to pieces,
> <jdfalk () cybernothing org>                  but you can't bomb it into peace"
>                                                       -- Michael Franti

--

Len Sassaman

Security Architect            |  "Now it's all change --
Technology Consultant         |   It's got to change more."
                              |
http://sion.quickie.net       |              --Joe Jackson