North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: NetSol's PGP auth ... and the road not taken
Leo, we did all of these. We found out about #3 (their documentation still says this should be blank, but we were told in '96 to put the key-id there) And we always used PGP 2.4.2. They were the only reason we had 2.4.2 ... Anyway, we had pre-written domain forms and we processed the message through a CGI script I wrote, so there was no possible way for the message to go with other than signed cleartext with the keyid in the auth field. 50% of the submissions got bounced for no reason and we had to call in. Even the ones that cleared would take 8-10 hours. NetSol told us that they queue the PGP stuff and do it once a day, manually. That the only way to improve response was to drop PGP auth. Maybe they have gotten better recently. We moved all of our domains to OpenSRS over a year ago, so we don't have to wait any more. At the time we left, it was a nightmare. On Mon, Oct 22, 2001 at 12:34:23PM -0400, Leo Bicknell wrote: > > On Mon, Oct 22, 2001 at 12:24:17AM -0700, Joe Rhett wrote: > > Don't waste your time. We had PGP auth working for the last 6 years. It > > will slow down any change you want to make by 3-5 days. Around 30% will get > > rejected for no reason whatsoever, and much more fun stuff. > > I find these comments interesting. I have been using PGP auth for > a number of years and found it to work just fine. I have found > most of the problems people have mentioned to be them running PGP > wrong, and/or using new versions of PGP before Netsol got them > working. I've only ever had one request get hung up, and it was > because I sent them a ASCII-Armored request, rather than a cleartext > signed copy. > > Just to be sure, I just submited a number of changes I had been > sitting on, with PGP. 4 minutes later automated e-mail back that > the changes had been made and all is well. Since their documentation > sucks, some tips: > > 1) Your message must be signed cleartext. They need to be able to > parse the text, in particular to get your keyid before running > it through PGP. I'm not sure why this is, but it is the way it > is, so just do it. Note, this implies you cannot encrypt your > message, just sign it. > > 2) Use older PGP / keys. I still use 2.6.2 keys with them, and I > know of people using 5.0 keys. Anything newer may cause issues. > > 3) Make sure your auth type is set to PGP _AND_ they key-id is > filled in. If you fill out the automated forms on the web there > is no way to enter a key id, you must manually edit the file > they send you in e-mail. > > If your message is wrong for any reason, it will get bounced to a > human, and most of the humans have no idea what to do with a bad > PGP request (particularly an encrypted one that they can't even > read) so they do sit. It's like getting soup in a Seinfeld show, > do it right, you get soup, do it wrong, and well, "no soup for > you!" > > -- > Leo Bicknell - [email protected] > Systems Engineer - Internetworking Engineer - CCIE 3440 > Read TMBG List - [email protected], www.tmbg.org -- Joe Rhett Chief Geek [email protected] ISite Services, Inc.
|