Leo, we did all of these. We found out about #3 (their documentation still says this should be blank, but we were told in '96 to put the key-id there) And we always used PGP 2.4.2. They were the only reason we had 2.4.2 ... Anyway, we had pre-written domain forms and we processed the message through a CGI script I wrote, so there was no possible way for the message to go with other than signed cleartext with the keyid in the auth field. 50% of the submissions got bounced for no reason and we had to call in. Even the ones that cleared would take 8-10 hours. NetSol told us that they queue the PGP stuff and do it once a day, manually. That the only way to improve response was to drop PGP auth. Maybe they have gotten better recently. We moved all of our domains to OpenSRS over a year ago, so we don't have to wait any more. At the time we left, it was a nightmare. On Mon, Oct 22, 2001 at 12:34:23PM -0400, Leo Bicknell wrote:
On Mon, Oct 22, 2001 at 12:24:17AM -0700, Joe Rhett wrote:
Don't waste your time. We had PGP auth working for the last 6 years. It will slow down any change you want to make by 3-5 days. Around 30% will get rejected for no reason whatsoever, and much more fun stuff.
I find these comments interesting. I have been using PGP auth for a number of years and found it to work just fine. I have found most of the problems people have mentioned to be them running PGP wrong, and/or using new versions of PGP before Netsol got them working. I've only ever had one request get hung up, and it was because I sent them a ASCII-Armored request, rather than a cleartext signed copy.
Just to be sure, I just submited a number of changes I had been sitting on, with PGP. 4 minutes later automated e-mail back that the changes had been made and all is well. Since their documentation sucks, some tips:
1) Your message must be signed cleartext. They need to be able to parse the text, in particular to get your keyid before running it through PGP. I'm not sure why this is, but it is the way it is, so just do it. Note, this implies you cannot encrypt your message, just sign it.
2) Use older PGP / keys. I still use 2.6.2 keys with them, and I know of people using 5.0 keys. Anything newer may cause issues.
3) Make sure your auth type is set to PGP _AND_ they key-id is filled in. If you fill out the automated forms on the web there is no way to enter a key id, you must manually edit the file they send you in e-mail.
If your message is wrong for any reason, it will get bounced to a human, and most of the humans have no idea what to do with a bad PGP request (particularly an encrypted one that they can't even read) so they do sit. It's like getting soup in a Seinfeld show, do it right, you get soup, do it wrong, and well, "no soup for you!"
-- Leo Bicknell - bicknell@ufp.org Systems Engineer - Internetworking Engineer - CCIE 3440 Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org
-- Joe Rhett Chief Geek JRhett@ISite.Net ISite Services, Inc.