I posted a serious vulnerability in the NetSol PGP-AUTH system to BugTraq a while back. If you search the archives, you'll find it. PGP-AUTH is provides effectively no authentication whatsoever, as far as I can tell. It's definately not worth the hassel one has to go through to get it to function properly. On Mon, 22 Oct 2001, J.D. Falk wrote:
On 10/22/01, Joe Rhett <jrhett@isite.net> wrote:
i've been trying to add a pgp key to the verisign/netsol database for the past two weeks. i've sent four messages, opened three web help requests, and spent three hours on the phone with their helpdesk. they know less than their customers about their own procedures and web documentation for adding keys for PGP guardian auth.
Don't waste your time. We had PGP auth working for the last 6 years. It will slow down any change you want to make by 3-5 days. Around 30% will get rejected for no reason whatsoever, and much more fun stuff.
I've had PGP AUTH broken for the last 6 years, and had the same kind of experience. I just finished an ENTIRE MONTH of calling a couple of times a week to get a simple host record fixed. In one call, somebody changed me from PGP AUTH to MAIL-FROM without effectively confirming that I was really me.
VeriSign needs to cut their losses and start over.
-- J.D. Falk "you can bomb the world to pieces, <jdfalk@cybernothing.org> but you can't bomb it into peace" -- Michael Franti
-- Len Sassaman Security Architect | "Now it's all change -- Technology Consultant | It's got to change more." | http://sion.quickie.net | --Joe Jackson