NetSol's PGP auth ... and the road not taken
Joe Rhett
jrhett at isite.net
Sun Nov 4 00:40:59 UTC 2001
Leo, we did all of these. We found out about #3 (their documentation still
says this should be blank, but we were told in '96 to put the key-id there)
And we always used PGP 2.4.2. They were the only reason we had 2.4.2 ...
Anyway, we had pre-written domain forms and we processed the message
through a CGI script I wrote, so there was no possible way for the message
to go with other than signed cleartext with the keyid in the auth field.
50% of the submissions got bounced for no reason and we had to call in.
Even the ones that cleared would take 8-10 hours. NetSol told us that
they queue the PGP stuff and do it once a day, manually. That the only way
to improve response was to drop PGP auth.
Maybe they have gotten better recently. We moved all of our domains to
OpenSRS over a year ago, so we don't have to wait any more. At the time we
left, it was a nightmare.
On Mon, Oct 22, 2001 at 12:34:23PM -0400, Leo Bicknell wrote:
>
> On Mon, Oct 22, 2001 at 12:24:17AM -0700, Joe Rhett wrote:
> > Don't waste your time. We had PGP auth working for the last 6 years. It
> > will slow down any change you want to make by 3-5 days. Around 30% will get
> > rejected for no reason whatsoever, and much more fun stuff.
>
> I find these comments interesting. I have been using PGP auth for
> a number of years and found it to work just fine. I have found
> most of the problems people have mentioned to be them running PGP
> wrong, and/or using new versions of PGP before Netsol got them
> working. I've only ever had one request get hung up, and it was
> because I sent them a ASCII-Armored request, rather than a cleartext
> signed copy.
>
> Just to be sure, I just submited a number of changes I had been
> sitting on, with PGP. 4 minutes later automated e-mail back that
> the changes had been made and all is well. Since their documentation
> sucks, some tips:
>
> 1) Your message must be signed cleartext. They need to be able to
> parse the text, in particular to get your keyid before running
> it through PGP. I'm not sure why this is, but it is the way it
> is, so just do it. Note, this implies you cannot encrypt your
> message, just sign it.
>
> 2) Use older PGP / keys. I still use 2.6.2 keys with them, and I
> know of people using 5.0 keys. Anything newer may cause issues.
>
> 3) Make sure your auth type is set to PGP _AND_ they key-id is
> filled in. If you fill out the automated forms on the web there
> is no way to enter a key id, you must manually edit the file
> they send you in e-mail.
>
> If your message is wrong for any reason, it will get bounced to a
> human, and most of the humans have no idea what to do with a bad
> PGP request (particularly an encrypted one that they can't even
> read) so they do sit. It's like getting soup in a Seinfeld show,
> do it right, you get soup, do it wrong, and well, "no soup for
> you!"
>
> --
> Leo Bicknell - bicknell at ufp.org
> Systems Engineer - Internetworking Engineer - CCIE 3440
> Read TMBG List - tmbg-list-request at tmbg.org, www.tmbg.org
--
Joe Rhett Chief Geek
JRhett at ISite.Net ISite Services, Inc.
More information about the NANOG
mailing list