i've been trying to add a pgp key to the verisign/netsol database for the
past two weeks. i've sent four messages, opened three web help requests,
and spent three hours on the phone with their helpdesk. they know less
than their customers about their own procedures and web documentation for
adding keys for PGP guardian auth.
i guess this is the problem with government sanctioned monopolies.
i'd like to do something about it.
does anybody know if there is a formal board or governing group that i can
send my grievances to?
- brett
i've been trying to add a pgp key to the verisign/netsol database for the
past two weeks. i've sent four messages, opened three web help requests,
and spent three hours on the phone with their helpdesk. they know less
than their customers about their own procedures and web documentation for
adding keys for PGP guardian auth.
Don't waste your time. We had PGP auth working for the last 6 years. It
will slow down any change you want to make by 3-5 days. Around 30% will get
rejected for no reason whatsoever, and much more fun stuff.
They're probably ignoring new submissions because they never finished an
automated infrastructure to support it, which means they do it all by hand,
painfully for them and their customers.
If you do insist on going that route, get used to sending the mail, then
calling up and waiting on hold for 1-2 hours, then pushing to get someone
who knows what PGP is to process the message. Otherwise it make take 5 days
before you get a response, and it will be a confused rejection.
Or move to another registrar. I can strongly recommend Tucows/openSRS with no
other relationship that being a very happy reseller.
rgds,
I find these comments interesting. I have been using PGP auth for
a number of years and found it to work just fine. I have found
most of the problems people have mentioned to be them running PGP
wrong, and/or using new versions of PGP before Netsol got them
working. I've only ever had one request get hung up, and it was
because I sent them a ASCII-Armored request, rather than a cleartext
signed copy.
Just to be sure, I just submited a number of changes I had been
sitting on, with PGP. 4 minutes later automated e-mail back that
the changes had been made and all is well. Since their documentation
sucks, some tips:
1) Your message must be signed cleartext. They need to be able to
parse the text, in particular to get your keyid before running
it through PGP. I'm not sure why this is, but it is the way it
is, so just do it. Note, this implies you cannot encrypt your
message, just sign it.
2) Use older PGP / keys. I still use 2.6.2 keys with them, and I
know of people using 5.0 keys. Anything newer may cause issues.
3) Make sure your auth type is set to PGP _AND_ they key-id is
filled in. If you fill out the automated forms on the web there
is no way to enter a key id, you must manually edit the file
they send you in e-mail.
If your message is wrong for any reason, it will get bounced to a
human, and most of the humans have no idea what to do with a bad
PGP request (particularly an encrypted one that they can't even
read) so they do sit. It's like getting soup in a Seinfeld show,
do it right, you get soup, do it wrong, and well, "no soup for
you!"
I've had PGP AUTH broken for the last 6 years, and had the same
kind of experience. I just finished an ENTIRE MONTH of calling
a couple of times a week to get a simple host record fixed. In
one call, somebody changed me from PGP AUTH to MAIL-FROM without
effectively confirming that I was really me.
VeriSign needs to cut their losses and start over.
> Don't waste your time. We had PGP auth working for the last 6 years. It
> will slow down any change you want to make by 3-5 days. Around 30% will get
> rejected for no reason whatsoever, and much more fun stuff.
I've had PGP AUTH broken for the last 6 years, and had the same
kind of experience. I just finished an ENTIRE MONTH of calling
a couple of times a week to get a simple host record fixed. In
one call, somebody changed me from PGP AUTH to MAIL-FROM without
effectively confirming that I was really me.
VeriSign needs to cut their losses and start over.
On that note, am I the only one who got an email from Verisign recently
which said, in effect, "we apologize for giving you horrific customer
service for so many years, and we're going to try to do better"?
<quote>
Dear Valued Customer,
Over the past year our business has undergone tremendous
growth and change. We know that as a result of this growth,
we haven't always delivered the best customer experience to
all of our customers. We are correcting this. That
correction starts today.
</quote>
etc. etc.
I didn't get it, but my guess is that this is a last ditch effort to stem the
exodus away from NetSol to the alternatives. As far as I am concerned,
they're a day late and $23 short. (I get domains for $12/year now thru an
OpenSRS registrar.)
--Adam
My housemate got one of those, too. It was good 'cause it
reminded her that she still had domains with netsol (so she
Immediately moved 'em.
I posted a serious vulnerability in the NetSol PGP-AUTH system to BugTraq
a while back. If you search the archives, you'll find it. PGP-AUTH is
provides effectively no authentication whatsoever, as far as I can tell.
It's definately not worth the hassel one has to go through to get it to
function properly.
I especially like the letter I got from them a year after transferring all
my domains away, which said I need to renew the never configured nor used
email boxes that they never told me they were supplying for my domains.
I've gotten another one a few weeks ago, more than a year and a half
after moving all my domains away from NetSol!
JMH
"J.D. Falk" wrote:
I wrote this in March of 1999:
I have gone to silly lengths to ensure that I am giving them a valid
signature. Once I signed the template, and then verified the
signature. I then copied it to another machine with a different PGP
version and re-verified the signature. Then I mailed it to myself
off-site and verified the signature on the remote system to ensure
the mail system wasn't breaking something. Finally, I mailed it to
hostmaster@internic.net and cc'd myself on and off-site. Both
copies I got back verified fine. The Internic took a few days and
then bounced it because they couldn't verify the signature.
It never improved, and I eventually gave up. I'm using OpenSRS now.
David
Leo, we did all of these. We found out about #3 (their documentation still
says this should be blank, but we were told in '96 to put the key-id there)
And we always used PGP 2.4.2. They were the only reason we had 2.4.2 ...
Anyway, we had pre-written domain forms and we processed the message
through a CGI script I wrote, so there was no possible way for the message
to go with other than signed cleartext with the keyid in the auth field.
50% of the submissions got bounced for no reason and we had to call in.
Even the ones that cleared would take 8-10 hours. NetSol told us that
they queue the PGP stuff and do it once a day, manually. That the only way
to improve response was to drop PGP auth.
Maybe they have gotten better recently. We moved all of our domains to
OpenSRS over a year ago, so we don't have to wait any more. At the time we
left, it was a nightmare.