NetSol's PGP auth ... and the road not taken

• Previous message (by thread): Confidential outage Saturday October 20 2001
• Next message (by thread): Q: Sizes of Existing and Planned Fully Meshed IPSEC VPN (Tunnel Mode)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Leo, we did all of these. We found out about #3 (their documentation still
says this should be blank, but we were told in '96 to put the key-id there)
And we always used PGP 2.4.2. They were the only reason we had 2.4.2 ...

Anyway, we had pre-written domain forms and we processed the message
through a CGI script I wrote, so there was no possible way for the message
to go with other than signed cleartext with the keyid in the auth field.
50% of the submissions got bounced for no reason and we had to call in. 
Even the ones that cleared would take 8-10 hours. NetSol told us that
they queue the PGP stuff and do it once a day, manually. That the only way
to improve response was to drop PGP auth.

Maybe they have gotten better recently. We moved all of our domains to
OpenSRS over a year ago, so we don't have to wait any more. At the time we
left, it was a nightmare. 

On Mon, Oct 22, 2001 at 12:34:23PM -0400, Leo Bicknell wrote:
> 
> On Mon, Oct 22, 2001 at 12:24:17AM -0700, Joe Rhett wrote:
> > Don't waste your time. We had PGP auth working for the last 6 years. It
> > will slow down any change you want to make by 3-5 days. Around 30% will get
> > rejected for no reason whatsoever, and much more fun stuff.
> 
> I find these comments interesting.  I have been using PGP auth for
> a number of years and found it to work just fine.  I have found
> most of the problems people have mentioned to be them running PGP
> wrong, and/or using new versions of PGP before Netsol got them
> working.  I've only ever had one request get hung up, and it was
> because I sent them a ASCII-Armored request, rather than a cleartext
> signed copy.
> 
> Just to be sure, I just submited a number of changes I had been
> sitting on, with PGP.  4 minutes later automated e-mail back that
> the changes had been made and all is well.  Since their documentation
> sucks, some tips:
> 
> 1) Your message must be signed cleartext.  They need to be able to
>    parse the text, in particular to get your keyid before running
>    it through PGP.  I'm not sure why this is, but it is the way it
>    is, so just do it.  Note, this implies you cannot encrypt your
>    message, just sign it.
> 
> 2) Use older PGP / keys.  I still use 2.6.2 keys with them, and I
>    know of people using 5.0 keys.  Anything newer may cause issues.
> 
> 3) Make sure your auth type is set to PGP _AND_ they key-id is
>    filled in.  If you fill out the automated forms on the web there
>    is no way to enter a key id, you must manually edit the file
>    they send you in e-mail.
> 
> If your message is wrong for any reason, it will get bounced to a
> human, and most of the humans have no idea what to do with a bad
> PGP request (particularly an encrypted one that they can't even
> read) so they do sit.  It's like getting soup in a Seinfeld show,
> do it right, you get soup, do it wrong, and well, "no soup for
> you!"
> 
> -- 
> Leo Bicknell - bicknell at ufp.org
> Systems Engineer - Internetworking Engineer - CCIE 3440
> Read TMBG List - tmbg-list-request at tmbg.org, www.tmbg.org

-- 
Joe Rhett                                                      Chief Geek
JRhett at ISite.Net                                      ISite Services, Inc.

• Previous message (by thread): Confidential outage Saturday October 20 2001
• Next message (by thread): Q: Sizes of Existing and Planned Fully Meshed IPSEC VPN (Tunnel Mode)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]