[43717] in North American Network Operators' Group
Re: NetSol's PGP auth ... and the road not taken
daemon@ATHENA.MIT.EDU (David Shaw)
Wed Oct 24 18:27:34 2001
Date: Wed, 24 Oct 2001 18:24:26 -0400
From: David Shaw <dshaw@jabberwocky.com>
To: nanog@merit.edu
Message-ID: <20011024182426.E10908@akamai.com>
Mail-Followup-To: nanog@merit.edu
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20011022153834.K86121@cybernothing.org>; from jdfalk@cybernothing.org on Mon, Oct 22, 2001 at 03:38:35PM -0700
Errors-To: owner-nanog-outgoing@merit.edu
On Mon, Oct 22, 2001 at 03:38:35PM -0700, J.D. Falk wrote:
>
> On 10/22/01, Joe Rhett <jrhett@isite.net> wrote:
>
> > > i've been trying to add a pgp key to the verisign/netsol database for the
> > > past two weeks. i've sent four messages, opened three web help requests,
> > > and spent three hours on the phone with their helpdesk. they know less
> > > than their customers about their own procedures and web documentation for
> > > adding keys for PGP guardian auth.
> >
> > Don't waste your time. We had PGP auth working for the last 6 years. It
> > will slow down any change you want to make by 3-5 days. Around 30% will get
> > rejected for no reason whatsoever, and much more fun stuff.
>
> I've had PGP AUTH broken for the last 6 years, and had the same
> kind of experience. I just finished an ENTIRE MONTH of calling
> a couple of times a week to get a simple host record fixed. In
> one call, somebody changed me from PGP AUTH to MAIL-FROM without
> effectively confirming that I was really me.
I wrote this in March of 1999:
I have gone to silly lengths to ensure that I am giving them a valid
signature. Once I signed the template, and then verified the
signature. I then copied it to another machine with a different PGP
version and re-verified the signature. Then I mailed it to myself
off-site and verified the signature on the remote system to ensure
the mail system wasn't breaking something. Finally, I mailed it to
hostmaster@internic.net and cc'd myself on and off-site. Both
copies I got back verified fine. The Internic took a few days and
then bounced it because they couldn't verify the signature.
It never improved, and I eventually gave up. I'm using OpenSRS now.
David
--
David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
"There are two major products that come out of Berkeley: LSD and UNIX.
We don't believe this to be a coincidence." - Jeremy S. Anderson
