slightly OT : versign complaint department
i've been trying to add a pgp key to the verisign/netsol database for the past two weeks. i've sent four messages, opened three web help requests, and spent three hours on the phone with their helpdesk. they know less than their customers about their own procedures and web documentation for adding keys for PGP guardian auth. i guess this is the problem with government sanctioned monopolies. i'd like to do something about it. does anybody know if there is a formal board or governing group that i can send my grievances to? - brett
i've been trying to add a pgp key to the verisign/netsol database for the past two weeks. i've sent four messages, opened three web help requests, and spent three hours on the phone with their helpdesk. they know less than their customers about their own procedures and web documentation for adding keys for PGP guardian auth.
Don't waste your time. We had PGP auth working for the last 6 years. It will slow down any change you want to make by 3-5 days. Around 30% will get rejected for no reason whatsoever, and much more fun stuff. They're probably ignoring new submissions because they never finished an automated infrastructure to support it, which means they do it all by hand, painfully for them and their customers. If you do insist on going that route, get used to sending the mail, then calling up and waiting on hold for 1-2 hours, then pushing to get someone who knows what PGP is to process the message. Otherwise it make take 5 days before you get a response, and it will be a confused rejection. -- Joe Rhett Chief Geek JRhett@ISite.Net ISite Services, Inc.
Or move to another registrar. I can strongly recommend Tucows/openSRS with no other relationship that being a very happy reseller. rgds, -- Peter Galbavy Knowtion Ltd. ----- Original Message ----- From: "Joe Rhett" <jrhett@isite.net> To: <beldridg@best.com> Cc: <nanog@merit.edu> Sent: Monday, October 22, 2001 8:24 AM Subject: NetSol's PGP auth ... and the road not taken
i've been trying to add a pgp key to the verisign/netsol database for the past two weeks. i've sent four messages, opened three web help requests, and spent three hours on the phone with their helpdesk. they know less than their customers about their own procedures and web documentation for adding keys for PGP guardian auth.
Don't waste your time. We had PGP auth working for the last 6 years. It will slow down any change you want to make by 3-5 days. Around 30% will get rejected for no reason whatsoever, and much more fun stuff.
They're probably ignoring new submissions because they never finished an automated infrastructure to support it, which means they do it all by hand, painfully for them and their customers.
If you do insist on going that route, get used to sending the mail, then calling up and waiting on hold for 1-2 hours, then pushing to get someone who knows what PGP is to process the message. Otherwise it make take 5 days before you get a response, and it will be a confused rejection.
-- Joe Rhett Chief Geek JRhett@ISite.Net ISite Services, Inc.
On Mon, Oct 22, 2001 at 12:24:17AM -0700, Joe Rhett wrote:
Don't waste your time. We had PGP auth working for the last 6 years. It will slow down any change you want to make by 3-5 days. Around 30% will get rejected for no reason whatsoever, and much more fun stuff.
I find these comments interesting. I have been using PGP auth for a number of years and found it to work just fine. I have found most of the problems people have mentioned to be them running PGP wrong, and/or using new versions of PGP before Netsol got them working. I've only ever had one request get hung up, and it was because I sent them a ASCII-Armored request, rather than a cleartext signed copy. Just to be sure, I just submited a number of changes I had been sitting on, with PGP. 4 minutes later automated e-mail back that the changes had been made and all is well. Since their documentation sucks, some tips: 1) Your message must be signed cleartext. They need to be able to parse the text, in particular to get your keyid before running it through PGP. I'm not sure why this is, but it is the way it is, so just do it. Note, this implies you cannot encrypt your message, just sign it. 2) Use older PGP / keys. I still use 2.6.2 keys with them, and I know of people using 5.0 keys. Anything newer may cause issues. 3) Make sure your auth type is set to PGP _AND_ they key-id is filled in. If you fill out the automated forms on the web there is no way to enter a key id, you must manually edit the file they send you in e-mail. If your message is wrong for any reason, it will get bounced to a human, and most of the humans have no idea what to do with a bad PGP request (particularly an encrypted one that they can't even read) so they do sit. It's like getting soup in a Seinfeld show, do it right, you get soup, do it wrong, and well, "no soup for you!" -- Leo Bicknell - bicknell@ufp.org Systems Engineer - Internetworking Engineer - CCIE 3440 Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org
Leo, we did all of these. We found out about #3 (their documentation still says this should be blank, but we were told in '96 to put the key-id there) And we always used PGP 2.4.2. They were the only reason we had 2.4.2 ... Anyway, we had pre-written domain forms and we processed the message through a CGI script I wrote, so there was no possible way for the message to go with other than signed cleartext with the keyid in the auth field. 50% of the submissions got bounced for no reason and we had to call in. Even the ones that cleared would take 8-10 hours. NetSol told us that they queue the PGP stuff and do it once a day, manually. That the only way to improve response was to drop PGP auth. Maybe they have gotten better recently. We moved all of our domains to OpenSRS over a year ago, so we don't have to wait any more. At the time we left, it was a nightmare. On Mon, Oct 22, 2001 at 12:34:23PM -0400, Leo Bicknell wrote:
On Mon, Oct 22, 2001 at 12:24:17AM -0700, Joe Rhett wrote:
Don't waste your time. We had PGP auth working for the last 6 years. It will slow down any change you want to make by 3-5 days. Around 30% will get rejected for no reason whatsoever, and much more fun stuff.
I find these comments interesting. I have been using PGP auth for a number of years and found it to work just fine. I have found most of the problems people have mentioned to be them running PGP wrong, and/or using new versions of PGP before Netsol got them working. I've only ever had one request get hung up, and it was because I sent them a ASCII-Armored request, rather than a cleartext signed copy.
Just to be sure, I just submited a number of changes I had been sitting on, with PGP. 4 minutes later automated e-mail back that the changes had been made and all is well. Since their documentation sucks, some tips:
1) Your message must be signed cleartext. They need to be able to parse the text, in particular to get your keyid before running it through PGP. I'm not sure why this is, but it is the way it is, so just do it. Note, this implies you cannot encrypt your message, just sign it.
2) Use older PGP / keys. I still use 2.6.2 keys with them, and I know of people using 5.0 keys. Anything newer may cause issues.
3) Make sure your auth type is set to PGP _AND_ they key-id is filled in. If you fill out the automated forms on the web there is no way to enter a key id, you must manually edit the file they send you in e-mail.
If your message is wrong for any reason, it will get bounced to a human, and most of the humans have no idea what to do with a bad PGP request (particularly an encrypted one that they can't even read) so they do sit. It's like getting soup in a Seinfeld show, do it right, you get soup, do it wrong, and well, "no soup for you!"
-- Leo Bicknell - bicknell@ufp.org Systems Engineer - Internetworking Engineer - CCIE 3440 Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org
-- Joe Rhett Chief Geek JRhett@ISite.Net ISite Services, Inc.
On 10/22/01, Joe Rhett <jrhett@isite.net> wrote:
i've been trying to add a pgp key to the verisign/netsol database for the past two weeks. i've sent four messages, opened three web help requests, and spent three hours on the phone with their helpdesk. they know less than their customers about their own procedures and web documentation for adding keys for PGP guardian auth.
Don't waste your time. We had PGP auth working for the last 6 years. It will slow down any change you want to make by 3-5 days. Around 30% will get rejected for no reason whatsoever, and much more fun stuff.
I've had PGP AUTH broken for the last 6 years, and had the same kind of experience. I just finished an ENTIRE MONTH of calling a couple of times a week to get a simple host record fixed. In one call, somebody changed me from PGP AUTH to MAIL-FROM without effectively confirming that I was really me. VeriSign needs to cut their losses and start over. -- J.D. Falk "you can bomb the world to pieces, <jdfalk@cybernothing.org> but you can't bomb it into peace" -- Michael Franti
On Mon, Oct 22, 2001 at 03:38:35PM -0700, J.D. Falk wrote:
On 10/22/01, Joe Rhett <jrhett@isite.net> wrote:
Don't waste your time. We had PGP auth working for the last 6 years. It will slow down any change you want to make by 3-5 days. Around 30% will get rejected for no reason whatsoever, and much more fun stuff.
I've had PGP AUTH broken for the last 6 years, and had the same kind of experience. I just finished an ENTIRE MONTH of calling a couple of times a week to get a simple host record fixed. In one call, somebody changed me from PGP AUTH to MAIL-FROM without effectively confirming that I was really me.
VeriSign needs to cut their losses and start over.
On that note, am I the only one who got an email from Verisign recently which said, in effect, "we apologize for giving you horrific customer service for so many years, and we're going to try to do better"? <quote> Subject: Urgent Information About Your Domain Name Records Dear Valued Customer, Over the past year our business has undergone tremendous growth and change. We know that as a result of this growth, we haven't always delivered the best customer experience to all of our customers. We are correcting this. That correction starts today. </quote> etc. etc. -- - mdz
On Mon, Oct 22, 2001 at 09:42:05PM -0400, Matt Zimmerman wrote:
On that note, am I the only one who got an email from Verisign recently which said, in effect, "we apologize for giving you horrific customer service for so many years, and we're going to try to do better"?
I didn't get it, but my guess is that this is a last ditch effort to stem the exodus away from NetSol to the alternatives. As far as I am concerned, they're a day late and $23 short. (I get domains for $12/year now thru an OpenSRS registrar.) --Adam -- Adam McKenna <adam@flounder.net> | GPG: 17A4 11F7 5E7E C2E7 08AA http://flounder.net/publickey.html | 38B0 05D0 8BF7 2C6D 110A
On 10/22/01, Matt Zimmerman <mdz@csh.rit.edu> wrote:
VeriSign needs to cut their losses and start over.
On that note, am I the only one who got an email from Verisign recently which said, in effect, "we apologize for giving you horrific customer service for so many years, and we're going to try to do better"?
My housemate got one of those, too. It was good 'cause it reminded her that she still had domains with netsol (so she Immediately moved 'em. -- J.D. Falk "you can bomb the world to pieces, <jdfalk@cybernothing.org> but you can't bomb it into peace" -- Michael Franti
I especially like the letter I got from them a year after transferring all my domains away, which said I need to renew the never configured nor used email boxes that they never told me they were supplying for my domains. I've gotten another one a few weeks ago, more than a year and a half after moving all my domains away from NetSol! JMH "J.D. Falk" wrote:
On 10/22/01, Matt Zimmerman <mdz@csh.rit.edu> wrote:
On that note, am I the only one who got an email from Verisign recently which said, in effect, "we apologize for giving you horrific customer service for so many years, and we're going to try to do better"?
My housemate got one of those, too. It was good 'cause it reminded her that she still had domains with netsol (so she Immediately moved 'em.
-- J.D. Falk "you can bomb the world to pieces, <jdfalk@cybernothing.org> but you can't bomb it into peace" -- Michael Franti
I posted a serious vulnerability in the NetSol PGP-AUTH system to BugTraq a while back. If you search the archives, you'll find it. PGP-AUTH is provides effectively no authentication whatsoever, as far as I can tell. It's definately not worth the hassel one has to go through to get it to function properly. On Mon, 22 Oct 2001, J.D. Falk wrote:
On 10/22/01, Joe Rhett <jrhett@isite.net> wrote:
i've been trying to add a pgp key to the verisign/netsol database for the past two weeks. i've sent four messages, opened three web help requests, and spent three hours on the phone with their helpdesk. they know less than their customers about their own procedures and web documentation for adding keys for PGP guardian auth.
Don't waste your time. We had PGP auth working for the last 6 years. It will slow down any change you want to make by 3-5 days. Around 30% will get rejected for no reason whatsoever, and much more fun stuff.
I've had PGP AUTH broken for the last 6 years, and had the same kind of experience. I just finished an ENTIRE MONTH of calling a couple of times a week to get a simple host record fixed. In one call, somebody changed me from PGP AUTH to MAIL-FROM without effectively confirming that I was really me.
VeriSign needs to cut their losses and start over.
-- J.D. Falk "you can bomb the world to pieces, <jdfalk@cybernothing.org> but you can't bomb it into peace" -- Michael Franti
-- Len Sassaman Security Architect | "Now it's all change -- Technology Consultant | It's got to change more." | http://sion.quickie.net | --Joe Jackson
On Mon, Oct 22, 2001 at 03:38:35PM -0700, J.D. Falk wrote:
On 10/22/01, Joe Rhett <jrhett@isite.net> wrote:
i've been trying to add a pgp key to the verisign/netsol database for the past two weeks. i've sent four messages, opened three web help requests, and spent three hours on the phone with their helpdesk. they know less than their customers about their own procedures and web documentation for adding keys for PGP guardian auth.
Don't waste your time. We had PGP auth working for the last 6 years. It will slow down any change you want to make by 3-5 days. Around 30% will get rejected for no reason whatsoever, and much more fun stuff.
I've had PGP AUTH broken for the last 6 years, and had the same kind of experience. I just finished an ENTIRE MONTH of calling a couple of times a week to get a simple host record fixed. In one call, somebody changed me from PGP AUTH to MAIL-FROM without effectively confirming that I was really me.
I wrote this in March of 1999: I have gone to silly lengths to ensure that I am giving them a valid signature. Once I signed the template, and then verified the signature. I then copied it to another machine with a different PGP version and re-verified the signature. Then I mailed it to myself off-site and verified the signature on the remote system to ensure the mail system wasn't breaking something. Finally, I mailed it to hostmaster@internic.net and cc'd myself on and off-site. Both copies I got back verified fine. The Internic took a few days and then bounced it because they couldn't verify the signature. It never improved, and I eventually gave up. I'm using OpenSRS now. David -- David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/ +---------------------------------------------------------------------------+ "There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence." - Jeremy S. Anderson
participants (10)
-
Adam McKenna -
beldridg@best.com -
David Shaw -
J.D. Falk -
Joe Rhett -
John Hall -
Len Sassaman -
Leo Bicknell -
Matt Zimmerman -
Peter Galbavy