Hi Chuck, This was announced to resellers via an OpenSRS Live Reseller Update email sent out on 12/06/02.
I can gladly resend it to you if you did not receive it. Cheers Joey. ----- Original Message ----- From: "Chuck Hatcher" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, December 13, 2002 10:12 AM Subject: Sending login information to Owner contact... > Here's another change that took me by surprise: > > In the RWI we now have the option to send the username/password to the owner > contact. > > I don't disagree that the owner contact has the right to modify the > registration record. After all they are the owner. But this change could > have unintended security consequences. > > Assume, for example, that party A is the admin contact for, but not the > reseller for, domain names owned by parties B and C. For easier management, > party A has put the domain names in the same profile. In the past this was > somewhat safe because only the admin contact could obtain the username and > password. Now, assume party B contacts the reseller listed in the whois to > obtain the username and password for his domain, and the reseller sends it > to him. He logs in, and now can modify party C's domain name. > > This scenario could easily be prevented if party A knew it wasn't safe to > combine domain names of different owners into the same profile. But the > fact that this is a new change to the way things have been done in the past > means party A may never find out about it. > > There are two points to my post: > > 1. Resellers, be aware of the change and take appropriate precautions, and > > 2. Where are all these unannounced changes coming from? Let us know when > you change something, okay? (I'll apologize if you did and I just missed > it.) > >
