Using PGP with the RADB
How To Create a key-cert Object
This document takes you step-by-step through the process of creating a key- cert object, including generation of a PGP key and PGP-signing your DB submissions.
The key-cert object MUST be added into the database before your maintainer is updated to reference it. A new maintainer should not be submitted with a PGPKEY auth reference unless you include the key-cert object with your new maintainer object submission.
User input is shown in red.
The example below uses PGP version 5.0. When you enter PGP commands PGP will default to ~/.pgp in your default directory. You can override the default using the 'PGPPATH' environment variable.
1. Create a PGP key.
In the example, the 'Enter pass phrase:' line is highlighted in orange to indicate that the value you supply will be needed each time you PGP-sign a submission. Therefore it's a good idea to keep your pass phrase in a safe place or, ideally, memorize it so there is no possibility that another party can find it. Anyone with your pass phrase has the ability to impersonate you and breach your DB objects.
% pgpk -g Choose the type of your public key: 1) DSS/Diffie-Hellman - New algorithm for 5.0 (default) 2) RSA Choose 1 or 2: 2 Pick your public/private keypair key size: 1) 768 bits- Commercial grade, probably not currently breakable 2) 1024 bits- High commercial grade, secure for many years 3) 2048 bits- "Military" grade, secure for the forseeable future Choose 1, 2 or 3, or enter desired number of bits (768 - 2048): 1 You need a user ID for your public key. The desired form for this user ID is your FULL name, followed by your E-mail address enclosed in , if you have an E-mail address. For example: Joe Smith If you violate this standard, you will lose much of the benefits of PGP 5.0's keyserver and email integration. Enter a user ID for your public key: Gerald A. Winters < firstname.lastname@example.org > Enter the validity period of your key in days from 0 - 999 0 is forever (and the default): 0 You need a pass phrase to protect your private key(s). Your pass phrase can be any sentence or phrase and may have many words, spaces, punctuation, or any other printable characters. Enter pass phrase: Enter again, for confirmation: Enter pass phrase: Collecting randomness for key... We need to generate 35 random bits. This is done by measuring the time intervals between your keystrokes. Please enter some random text on your keyboard until you hear the beep: 0 * -Enough, thank you. ******* ...............******* Keypair created successfully. If you wish to send this new key to a server, enter the URL of the server, below. If not, enter nothing. %
2. Extract your public key block.
% pgpk -xa gerald -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP for Personal Privacy 5.0 mQBtAzlPun4AAAEDAL4HzIVpazkecT7nWTotIsbmSdyfeImWVA4ZzVXZuwb6quK3 SocNluXQnzCDf9rSGO7mT2gLYKFSpBuQXQ0mZfGjL1yXT1FLIdkb94B0B7vPiTVb +d/f4Ye0diwnAceU0QAFEbQkR2VyYWxkIEEuIFdpbnRlcnMgPGdlcmFsZEBtZXJp dC5lZHU+iQB1AwUQOU+6frR2LCcBx5TRAQHR0QMAp6lAb8/SEq8V8lLTtB908sPq H2Sh034w75ekZIwWVP3WQx9DcugWxbaNv5mYhfq4eoGNBZ2svNFZ0s0440bD8gAU CFuhzB4dp523YePxHxgK5MuMPVqRCnbLETgrnfcs =sYcq -----END PGP PUBLIC KEY BLOCK-----
3. Get your hex ID.
The hex ID is '01C794D1'.
% pgpk -l gerald Type Bits KeyID Created Expires Algorithm Use sec+ 768 0x01C794D1 2000-06-20 ---------- RSA Sign & Encrypt uid Gerald A. Winters 1 matching key found %
4. Construct a 'key-cert' object.
Note that the 'method:', 'owner:' and 'fingerpr:' attributes have not been specified. These attributes are auto-generated by the DB software and so they are intentionally omitted. The red + need to be added before each line of the public key block.
key-cert: PGPKEY-01C794D1 certif: +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: PGP for Personal Privacy 5.0 + +mQBtAzlPun4AAAEDAL4HzIVpazkecT7nWTotIsbmSdyfeImWVA4ZzVXZuwb6quK3 +SocNluXQnzCDf9rSGO7mT2gLYKFSpBuQXQ0mZfGjL1yXT1FLIdkb94B0B7vPiTVb ++d/f4Ye0diwnAceU0QAFEbQkR2VyYWxkIEEuIFdpbnRlcnMgPGdlcmFsZEBtZXJp +dC5lZHU+iQB1AwUQOU+6frR2LCcBx5TRAQHR0QMAp6lAb8/SEq8V8lLTtB908sPq +H2Sh034w75ekZIwWVP3WQx9DcugWxbaNv5mYhfq4eoGNBZ2svNFZ0s0440bD8gAU +CFuhzB4dp523YePxHxgK5MuMPVqRCnbLETgrnfcs +=sYcq +-----END PGP PUBLIC KEY BLOCK----- mnt-by: MAINT-MERIT changed: email@example.com 20000709 source: RADB
5. Update your maintainer to use PGP authentication using the PGP key from the 'key-cert' object.
Be sure to add your key-cert object to the database before you update your maintainer.
The new 'auth:' attribute is highlighted in boldface type.
mntner: MAINT-GERALD descr: Illustrate PGP authenticaion admin-c: Gerald Winters tech-c: Gerald Winters upd-to: firstname.lastname@example.org mnt-nfy: email@example.com auth: CRYPT-PW pfrutahVELjzI **auth: PGPKEY-01C794D1** mnt-by: MAINT-GERALD changed: firstname.lastname@example.org 20000709 source: RADB
6. Email your objects to the registry. Assume the objects are in a file called 'db-objects.txt'.
% mail email@example.com < db-objects.txt
- After you have successfully added your 'key-cert' object to the DB and updated your maintainer to use PGP authentication, you can PGP-sign your submissions.
How to Use PGP for RADB Authentication
2) Assume the object is in a filed named 'db-submission.txt'. Since PGP defaults its output to a file named *.asc, in our example the PGP-signed submission will be in a file called db-submission.txt.asc. The 'pass phrase' is the value you supplied to PGP when you created your key from step 1, in the previous section "Create a PGP key."
% pgps -ta -u 0x01C794D1 db-submission.txt or pgps -ta -u gerald db-submission.txt A private key is required to make a signature. Need a pass phrase to decrypt private key: 768 bits, Key ID 01C794D1, Created 2000-06-20 "Gerald A. Winters " Enter pass phrase: Pass phrase is good. Creating output file db-submission.txt.asc %
3) Send your PGP submission to the RADB:
% mail firstname.lastname@example.org < db-submission.txt.asc
Tips for Making Your Objects More Secure
Once you begin using PGP authentication is your DB updates, be sure that you are not allowing lesser forms of authentication in your maintainer, i.e., 'MAIL-FROM' and 'NONE'. For example, we discourage maintainers such as the following:
mntner: MAINT-GERALD descr: How to nullify PGP authentication admin-c: Gerald Winters tech-c: Gerald Winters upd-to: email@example.com mnt-nfy: firstname.lastname@example.org auth: MAIL-FROM email@example.com auth: PGPKEY-01C794D1 mnt-by: MAINT-GERALD changed: firstname.lastname@example.org 20000709 source: RADB
Note that the maintainer above allows 'MAIL-FROM' as well as PGP authentication. This would make it possible for an imposter to impersonate you in email using 'MAIL-FROM' authentication, therefore nullifying the benefits of PGP authentication. Even worse would be to have a maintainer such as the following:
mntner: MAINT-GERALD descr: Illustrate PGP authentication admin-c: Gerald Winters tech-c: Gerald Winters upd-to: email@example.com mnt-nfy: firstname.lastname@example.org auth: NONE auth: MAIL-FROM email@example.com auth: PGPKEY-01C794D1 mnt-by: MAINT-GERALD changed: firstname.lastname@example.org 20000709 source: RADB
Merit will continue to support the traditional forms of authentication. However, we strongly urge you to convert to PGP-signing of your DB submissions and to avoid the use of lesser forms of authentication.
Comments and questions are welcome; please send email to email@example.com.