I think the issue at hand is:
If <Customer> calls <RSP> and says "I need my password, can you send
it to me?", then the exposure is limited. Its going across the wire,
the recipient is expecting it, etc.
However, if <Dick> goes to a web form, sets up in advance to (a)
monitor network between A and B, (b) is prepared to watch a mail
spool to grab the password from their boss' mailbox on the corporate
mail server, etc., then the exposure is significantly greater, and
there are openings for malicious use.
I certainly, if #2 is going to be a feature, want the ability to also
say "my domain's password may never be sent in clear text in an
e-mail unless I ask for it", and preferably for there also to be
option that "it may never be sent in e-mail. period." (In fact, even
if #2 never sees the light of day, I'd like that feature TODAY, ...
sure I'm my own RSP, but customers should have the ability to dictate
that their password never get committed to public cleartext)
Personally, I'd rather require that $CUSTOMER call Tucows/etc., and
provide proof of identity, the whole nine yards in the case of a
forgotten password, than for someone to be able to sniff the password
at some stage of e-mail and get it handed to them.
D
At 10:39 PM -0400 9/26/00, Alex Brecher wrote:
>Hi, actually it can be sent with the same method it is currently
>sent with. The only exception would be bypassing the step where the
>RSP logs into the reseller area to send the password.
>
>Best Regards,
>
>Alex Brecher
>
>----- Original Message -----
>From: "Swerve" <[EMAIL PROTECTED]>
>To: "Charles Daminato" <[EMAIL PROTECTED]>; "Alex Brecher"
><[EMAIL PROTECTED]>
>Cc: <[EMAIL PROTECTED]>
>Sent: Tuesday, September 26, 2000 10:21 PM
>Subject: Re: Wish List Additions
>
>
>> Hi,
>> With regards to number 2. Will the password be sent in an encrypted
>> fashion? If no, would it be possible for anyone to punch in an opensrs
>> registrared domain, and possibly intercept the password as it fly thru
>> electronic space?
>>
>> swerve
>>
>> > From: Charles Daminato <[EMAIL PROTECTED]>
>> > Date: Tue, 26 Sep 2000 21:01:14 -0400
>> > To: Alex Brecher <[EMAIL PROTECTED]>
>> > Cc: [EMAIL PROTECTED]
>> > Subject: Re: Wish List Additions
>> >
>> > #1 is an excellent idea, and will be placed in queue for a feature
>> > request. This may be tricky, as we have to ensure we send the original
>> > registration information - assuming that the end user may still be able to
>> > alter information of that domain name prior to getting acknowledgement
>> > (i.e. by registering a domain on a previous profile...)
>> >
>> > #2 is already on the list and will *most likely* be in the next release -
>> > I can't offer specific information, as ..well, I'm not 100% sure at the
>> > moment :)
>> >
>> > Alex Brecher wrote:
>> >>
>> >> Hi, I just wanted to suggest two features to the wish list for the next
>> >> release:
>> >>
>> >> 1. The ability to resend the confirmation email that the
>>reseller has set up
>> >> in their reseller area. This is a helpful feature if a
>> >> users email was down when they placed their registration or if they had
>> >> entered their wrong email address at the time of
>> >> registration.
>> >>
>> >> 2. A way for the user to retrieve their password without contacting the
>> >> reseller first. All they would do is enter their domain in a
>> >> form on our site and their login would automatically be sent to
>>their admin.
>> >> email listed for their domain.
>> >>
>> >> Best Regards,
>> >>
>> >> Alex Brecher
> > >
> > > --
> > >
> > > Charles Daminato
> > > OpenSRS Support Manager
> > > [EMAIL PROTECTED]
> > >
> >
