This is the Oct 19th Verisign advisory discussed this
afternoon.<BR><BR>Tim <BR>
<DIV id=wmMessageComp name="wmMessageComp"><BR><BR>
<BLOCKQUOTE style="PADDING-LEFT: 8px; MARGIN-LEFT: 8px; BORDER-LEFT:
blue 2px solid">-------- Original Message --------<BR>Subject: Advisory
and Operational Policy Regarding Best Practices for<BR>VeriSign Registry
Systems Access<BR>From: "Price, Lauren"
<lprice@verisign.com><BR>Date: Fri, October 20, 2006 10:26
am<BR>To: "Price, Lauren" <lprice@verisign.com><BR><BR>Dear
Registrar,<BR><BR>Please be sure to read the advisory sent by VeriSign
Customer Service<BR>regarding Best Practices for VeriSign Registry
Systems Access.<BR><BR>If you have any questions, please do not
hesitate to contact me.<BR><BR>Thank you,<BR>Lauren <BR><BR>Lauren
Price<BR>Account
Manager<BR>Lprice@verisign.com<BR>703-948-3335<BR><BR>-----Original
Message-----<BR>From:
owner-registrars@verisign-grs.com<BR>[mailto:owner-registrars@verisign-grs.com]
On Behalf Of VeriSign<BR>Customer Service<BR>Sent: Thursday, October 19,
2006 3:06 PM<BR>To: registrars@verisign-grs.com<BR>Subject:
[RegistrarsList] Advisory and Operational Policy Regarding
Best<BR>Practices for VeriSign Registry Systems Access<BR><BR>NOTE:
This document includes new requirements for interfacing with
the<BR>Registry Systems which need to be followed by Registrars in
order for<BR>production access to these systems to continue post
November 19, 2006.<BR><BR>Dear Registrar,<BR><BR>In preparation for the
Name Store Manager release in early 2007 which<BR>provides common access
for .com/.net and Name Store platforms, VeriSign<BR>has prepared the
following document which outlines the best practices<BR>for
access to the VeriSign Registry Systems including the
Shared<BR>Registration System (SRS), the .com/.net Registrar Tool and
the Name<BR>Store Manager. One of the key features of the
upcoming release is the<BR>merging of Name Store and .com/.net accounts
into one account with a<BR>single sign-on including one set of access
information (one username and<BR>one password). Thus, there is no
better time to reexamine your security<BR>practices for accessing these
tools.<BR>Please note that this document also includes new practices
for<BR>interfacing with the Registry Systems which need to be followed
by<BR>Registrars in order for production access to these systems to
continue.<BR><BR>VeriSign's goal is to maintain the best security
practices while<BR>preserving the functionality necessary for
registrars to conduct<BR>business with VeriSign. Because of this,
VeriSign is implementing two<BR>new requirements for access to Registry
Systems:<BR><BR>1. Change of Passwords and Security Phrases now
systematically required<BR><BR> a.
Registrars will be required to update their password
and<BR>registrar security phrase regularly in order to maintain access
to our<BR>systems.<BR><BR> b. This has
been an advised policy in the past. However,<BR>please
be<BR>advised that all registrars are required to change and update
their<BR>passwords and security phrases for all Registry SRS and Name
Store tools<BR>as of November 19, 2006.<BR><BR> c.
After November 19, 2006, Registrars will be
systematically<BR>required to update these passwords and phrases every
90 days to continue<BR>access to production systems and
tools.<BR><BR> d. Registrars are also
advised that these passwords and<BR>security<BR>phrases must be updated
when there is a change in authorized contacts.<BR><BR>Additional
Information regarding establishing of updated passwords and<BR>security
phrases is included in the following document.<BR><BR>2. IP Access
Control Lists to the Registrar Tools must be Specified and<BR>Updated
for Access to Registrar Tools.<BR><BR> a. As of November
19, 2006, Registrars must designate an access<BR>control list of
approved IP addresses to VeriSign.<BR><BR> b. Access to
the SRS, the Registrar Tool and the Name Store Manager<BR>is restricted
to IP addresses authorized by the registrar.<BR><BR> c. The
access control list may be different for each of the<BR>VeriSign
Registry Systems. For example, the IP addresses for access
to<BR>the SRS may be different from those for access to the Registrar
Tool.<BR><BR>Additional information regarding establishing this list of
authorized IP<BR>addresses is included in the following
document.<BR><BR>Please note that compliance with these access control
best practices is<BR>required for access to systems as of 0200 hrs UTC
on November 19, 2006.<BR><BR>For more details, please review the full
document which follows this<BR>note.<BR>If you have any questions or
comments, please do not hesitate to contact<BR>Customer Service at
info@verisign-grs.com or
703-925-6999.<BR><BR><BR>_____________________________________________________________________<BR><BR>Best
Practices and Requirements for VeriSign Registry Systems
Access<BR><BR>Description<BR><BR>To ensure the validity of VeriSign
data and system integrity, it is<BR>vital that access to Registry
Systems is granted only after proper<BR>authentication.<BR>To protect
the integrity of the authentication process, VeriSign has<BR>outlined
the best practices requirements as related to accessing to
the<BR>VeriSign Registry Systems, including the Shared Registration
System<BR>(SRS), the .com/.net Registrar Tool and the Name Store
Manager.<BR><BR>The goal of the Best Practices and Requirements for
VeriSign Registry<BR>Systems Access is to provide the best possible
security while preserving<BR>the functionality necessary for registrars
to conduct business with<BR>VeriSign.<BR>Registrars must implement the
access practices listed below for all<BR>information systems used
within VeriSign.<BR><BR>Scope<BR><BR>This document outlines the
practices related to the following<BR>components:<BR>Production User ID
and Password, registrar security phrase and an access<BR>control list of
approved IP addresses.<BR><BR> Production User ID and
Password<BR><BR>Registrars receive a User ID and temporary password via
fax to their<BR>administrative contact upon their initial certification
as a VeriSign<BR>registrar. Registrars can not change their User
ID but they should<BR>immediately change their temporary password.
Thereafter, registrars<BR>must change their password every 90
days or when the authorized contacts<BR>change, whichever is
sooner.<BR><BR>To change your password, contact Customer Service or
logon to the<BR>Registrar Tool and the Name Store Manager to change
your respective<BR>.com/.net and Name Store passwords.<BR><BR>
Registrar Security Phrase<BR><BR>Registrars have a
registrar security phrase that was initially<BR>designated upon their
initial certification as a VeriSign registrar.<BR>When registrars
contact Customer Service to request the performance
of<BR>administrative actions, our Customer Service
Representatives<BR>authenticate the person by requesting their
registrar security phrase.<BR>Registrars must change their registrar
security phrase every 90 days or<BR>when the authorized contacts
change, whichever is sooner.<BR><BR>All registrar contacts should be
informed of the registrar security<BR>phrase prior to contacting
VeriSign Customer Service to ensure speedy<BR>response to the
registrar's requests.<BR><BR>To change your registrar security phrase,
please contact Customer<BR>Service or logon to the Registrar Tool and
the Name Store Manager to<BR>change your respective .com/.net and Name
Store registrar security<BR>phrases. For efficiency, VeriSign
recommends that the registrar<BR>security phrase and their password be
updated at the same time.<BR><BR> Registrar Tool Access
Control<BR><BR>Registrars must designate an access control list of
approved IP<BR>addresses to VeriSign upon their initial certification
as a VeriSign<BR>registrar. Access to the SRS, the Registrar Tool
and the Name Store<BR>Manager is restricted to IP addresses authorized
by the registrar. The<BR>access control list may be different for
each of the VeriSign Registry<BR>Systems. For example, the IP
addresses for access to the SRS may be<BR>different from those for
access to the Registrar Tool.<BR><BR>To amend your access control list
of approved IP addresses, refer to the<BR>Subnet Modification form for
IP address guidelines and instructions,<BR>please refer
to:<BR>http://www.verisign.com/support/registrar/comnet/subnet/index.html.
The<BR>Subnet Modification form enables registrars to specify the same
or<BR>different IP addresses for access to the SRS, Registrar Tool and
the<BR>Name Store Customer Manager. Please note that several IP
ranges are<BR>blocked by VeriSign and cannot be designated for
use.<BR><BR>Roles and Responsibilities<BR><BR>The best practices
outlined apply to all VeriSign registrars. Each<BR>registrar has the
responsibility to protect their access information and<BR>keep it
updated as authorized contacts change. The document does
not<BR>attempt to be an exhaustive reference to every possible
security<BR>configuration for a particular registrar.<BR><BR>All
registrars are required to comply with the best practices set
forth<BR>in this document even if the systems do not enforce a
practice. For<BR>example, if the system does not expire a
password after 90 days, the<BR>registrar is still responsible for
changing the password at least every<BR>90 days. If the password
or registrar security phrase has been<BR>compromised, the registrar
should request that the password or registrar<BR>security phrase be
reset immediately and then the registrar should<BR>change the reset
password or registrar security phrase upon next
login.<BR><BR>Verification<BR><BR>VeriSign may conduct periodic audits
for compliance with the best<BR>practices outlined in this document.
Registrars are responsible to<BR>ensure that their personnel
adhere to these practices.<BR><BR>If you have questions regarding this
advisory please contact Customer<BR>Service at
info@verisign-grs.com.<BR><BR>Best Regards,<BR><BR>PJ
Bolanos<BR>Director, Customer Service<BR>VeriSign,
Inc.<BR>info@verisign-grs.com<BR><BR>---------<BR>Participants on the
VeriSign registrars list are requested to not<BR>cross-post messages.
</BLOCKQUOTE></DIV>