At 02:17 PM 1/21/02 -0800, Gregory Neil Shapiro wrote: >sallan> - the ability to have renewal message bounce reports include >sallan> current WHOIS output > >The public WHOIS should not include bounce reports.
The concept was not to include further data in WHOIS responses, but to append the current WHOIS output to the "bounce" message itself. Apologies if that was not clear... >sallan> - the ability to *require* registrants to use your manage interface >sallan> only (would have some service level requirements) > >This is by the far the most important one here. With the recent addition >of the ability to have a user's password mailed out (see OpenSRS.conf's >allow_password_requests option), you've created a large security problem. > >Even if I have that option turned off, any other OpenSRS management >interface with it enabled would allow an attacker to have my domain >username and password mailed to me. The problem here is that mail travels >over the Internet in plain text and contains my password. I think you can >see the danger here. > >Although I realize there are issues here, it would be nicer to allow me to >query for a users password using the (secure) RWI and then I can >communicate that password to my customer securely (notably with a PGP >encrypted message). Interesting angle I had not considered. I guess my response would be that should someone's email account become compromised (or data sniffed), the ability to do all sorts of damage has always been there. I am not sure how to design against this - allowing registrants to have their U:P combo sent to them is a really useful feature, and is pretty standard. I can't think of a way that improves security without seriously compromising usability... PGP is nowhere near widely enough deployed - I guess we could let resellers globally disable this for their names, but that would likely not be an option that many would choose, therefore not greatly improving security (it would of course allow those who desire greater security to have it). My understanding (perhaps wrong) is that plain text data (password) sniffing exploits are pretty rare - anyone violently disagree? It has always struck me as something that it is possible, but not generally worth it. In this case, not only would you have to be able to guarantee you could get all the mail sniffed, but also be familiar with the OSRS manage system. Further ideas and suggestions are welcome - sA Scott Allan Director OpenSRS [EMAIL PROTECTED]
