Table of contents
Create key-cert
This document takes you step-by-step through the process of creating a key-cert object, including generation of a PGP key and PGP-signing your DB submissions.
The key-cert object MUST be added into the database before your maintainer is updated to reference it.
A new maintainer should not be submitted with a PGPKEY auth reference unless you include the key-cert object with your new maintainer object submission.
The example below uses PGP version 5.0. When you enter PGP commands PGP will default to ~/.pgp in your default directory.
You can override the default using the 'PGPPATH' environment variable.
PGP key
In the example, the 'Enter pass phrase:' line is used to indicate that the value you supply will be needed each time you PGP-sign a submission.
Therefore it's a good idea to keep your pass phrase in a safe place or, ideally, memorize it so there is no possibility that another party can find it.
Anyone with your pass phrase has the ability to impersonate you and breach your DB objects.
% pgpk -g
Choose the type of your public key:
1) DSS/Diffie-Hellman - New algorithm for 5.0 (default)
2) RSA
Choose 1 or 2: 2
Pick your public/private keypair key size:
1) 768 bits- Commercial grade, probably not currently breakable
2) 1024 bits- High commercial grade, secure for many years
3) 2048 bits- "Military" grade, secure for the foreseeable future
Choose 1, 2 or 3, or enter desired number of bits
(768 - 2048): 1
You need a user ID for your public key. The desired form for this
user ID is your FULL name, followed by your E-mail address enclosed in
, if you have an E-mail address. For example:
Joe Smith
If you violate this standard, you will lose much of the benefits of
PGP 5.0's keyserver and email integration.
Enter a user ID for your public key: Gerald A. Winters < gerald@merit.edu >
Enter the validity period of your key in days from 0 - 999
0 is forever (and the default): 0
You need a pass phrase to protect your private key(s).
Your pass phrase can be any sentence or phrase and may have many
words, spaces, punctuation, or any other printable characters.
Enter pass phrase:
Enter again, for confirmation:
Enter pass phrase:
Collecting randomness for key...
We need to generate 35 random bits. This is done by measuring the
time intervals between your keystrokes. Please enter some random text
on your keyboard until you hear the beep:
0 * -Enough, thank you.
******* ...............*******
Keypair created successfully.
If you wish to send this new key to a server, enter the URL of the server,
below. If not, enter nothing.
%
Extract key
% pgpk -xa gerald
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP for Personal Privacy 5.0
mQBtAzlPun4AAAEDAL4HzIVpazkecT7nWTotIsbmSdyfeImWVA4ZzVXZuwb6quK3
SocNluXQnzCDf9rSGO7mT2gLYKFSpBuQXQ0mZfGjL1yXT1FLIdkb94B0B7vPiTVb
+d/f4Ye0diwnAceU0QAFEbQkR2VyYWxkIEEuIFdpbnRlcnMgPGdlcmFsZEBtZXJp
dC5lZHU+iQB1AwUQOU+6frR2LCcBx5TRAQHR0QMAp6lAb8/SEq8V8lLTtB908sPq
H2Sh034w75ekZIwWVP3WQx9DcugWxbaNv5mYhfq4eoGNBZ2svNFZ0s0440bD8gAU
CFuhzB4dp523YePxHxgK5MuMPVqRCnbLETgrnfcs
=sYcq
-----END PGP PUBLIC KEY BLOCK-----
Hex ID
The hex ID is '01C794D1'.
% pgpk -l gerald
Type Bits KeyID Created Expires Algorithm Use
sec+ 768 0x01C794D1 2000-06-20 ---------- RSA Sign & Encrypt
uid Gerald A. Winters
1 matching key found
%
Construct object
Note that the 'method:', 'owner:' and 'fingerpr:' attributes have not been specified.
These attributes are auto-generated by the DB software and so they are intentionally omitted.
key-cert: PGPKEY-01C794D1
certif:
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: PGP for Personal Privacy 5.0
+
+mQBtAzlPun4AAAEDAL4HzIVpazkecT7nWTotIsbmSdyfeImWVA4ZzVXZuwb6quK3
+SocNluXQnzCDf9rSGO7mT2gLYKFSpBuQXQ0mZfGjL1yXT1FLIdkb94B0B7vPiTVb
++d/f4Ye0diwnAceU0QAFEbQkR2VyYWxkIEEuIFdpbnRlcnMgPGdlcmFsZEBtZXJp
+dC5lZHU+iQB1AwUQOU+6frR2LCcBx5TRAQHR0QMAp6lAb8/SEq8V8lLTtB908sPq
+H2Sh034w75ekZIwWVP3WQx9DcugWxbaNv5mYhfq4eoGNBZ2svNFZ0s0440bD8gAU
+CFuhzB4dp523YePxHxgK5MuMPVqRCnbLETgrnfcs
+=sYcq
+-----END PGP PUBLIC KEY BLOCK-----
mnt-by: MAINT-MERIT
changed: gerald@merit.edu 20000709
source: RADB
Update maintainer
Be sure to add your key-cert object to the database *before* you update your maintainer.
The new 'auth:' attribute has been added in the 2nd auth field
mntner: MAINT-GERALD
descr: Illustrate PGP authenticaion
admin-c: DUMMY-RADB
tech-c: DUMMY-RADB
upd-to: gerald@merit.edu
mnt-nfy: gerald@merit.edu
auth: CRYPT-PW pfrutahVELjzI
auth: PGPKEY-01C794D1
mnt-by: MAINT-GERALD
changed: gerald@merit.edu 20000709
source: RADB
Email objects
Assume the objects are in a file called 'db-objects.txt'
% mail auto-dbm@radb.net < db-objects.txt
PGP-sign
After you have successfully added your 'key-cert' object to the DB and updated your maintainer to use PGP authentication, you can PGP-sign your submissions
PGP Authentication
- Following instructions for creating, modifying or deleting an object, but omit the step to mail auto-dbm@radb.net.
- Assume the object is in a filed named 'db-submission.txt'.
Since PGP defaults its output to a file named *.asc, in our example the PGP-signed submission will be in a file called db-submission.txt.asc.
The 'pass phrase' is the value you supplied to PGP when you created your key from step 1, in the previous section "Create a PGP key."
% pgps -ta -u 0x01C794D1 db-submission.txt or pgps -ta -u gerald db-submission.txt
A private key is required to make a signature.
Need a pass phrase to decrypt private key:
768 bits, Key ID 01C794D1, Created 2000-06-20
"Gerald A. Winters "
Enter pass phrase:
Pass phrase is good.
Creating output file db-submission.txt.asc
%
Send your PGP submission to the RADB:
% mail auto-dbm@radb.net < db-submission.txt.asc
Tips
Once you begin using PGP authentication is your DB updates, be sure that you are not allowing lesser forms of authentication in your maintainer, i.e., 'MAIL-FROM' and 'NONE'.
For example, we discourage maintainers such as the following:
mntner: MAINT-GERALD
descr: How to nullify PGP authentication
admin-c: DUMMY-RADB
tech-c: DUMMY-RADB
upd-to: gerald@merit.edu
mnt-nfy: gerald@merit.edu
auth: MAIL-FROM gerald@merit.edu
auth: PGPKEY-01C794D1
mnt-by: MAINT-GERALD
changed: gerald@merit.edu 20000709
source: RADB
Note that the maintainer above allows 'MAIL-FROM' as well as PGP authentication.
This would make it possible for an imposter to impersonate you in email using 'MAIL-FROM' authentication, therefore nullifying the benefits of PGP authentication.
Even worse would be to have a maintainer such as the following:
mntner: MAINT-GERALD
descr: Illustrate PGP authentication
admin-c: DUMMY-RADB
tech-c: DUMMY-RADB
upd-to: gerald@merit.edu
mnt-nfy: gerald@merit.edu
auth: NONE
auth: MAIL-FROM gerald@merit.edu
auth: PGPKEY-01C794D1
mnt-by: MAINT-GERALD
changed: gerald@merit.edu 20000709
source: RADB
Merit will continue to support the traditional forms of authentication.
However, we strongly urge you to convert to PGP-signing of your DB submissions and to avoid the use of lesser forms of authentication.
Need Assistance?
If you have technical questions or need help related to Merit RADb, please contact RADb Support.