Re: Multiple signatures to create a reference to an irt object
Hi Alex!
So far, the response to my query has been, well, nil :-( Maybe I'm asking this question on the wrong list? This must have been tested before...
Cheers, Alex
Well, I guess the answers are: NO (wrong list) and WELL... (tested for all situations) Do you want it on the WG agenda for next week? Wilfried. ___________ SWITCH - The Swiss Academic and Research Network ___________ Alexander Gall, SWITCH, Limmatquai 138, CH-8001 Zurich, Switzerland gall@switch.ch Tel: +41 1 268 1522 Fax: +41 1 268 1568
Hello
I've been playing around with PGP authentication and irt objects in the test database and ran into the following problem.
The relevant objects are
mntner: SWITCH-MNT irt: IRT-SWITCH inetnum: 130.59.0.0 - 130.59.255.255 key-cert: PGPKEY-C3BA4795 key-cert: PGPKEY-82146071
They are all protected by SWITCH-MNT, which has a single auth attribute pointing to PGPKEY-C3BA4795. Updates signed with this key work fine.
IRT-SWITCH has the attribute auth: PGPKEY-82146071.
What I would like to do is to add mnt-irt: IRT-SWITCH to the inetnum object. If I understood correctly, I have to sign that update with two keys: with key C3BA4795 because the inetnum is protected by SWITCH-MNT and with 82146071 because a new reference to an irt object needs to be signed by the key referenced in the irt's auth attribute.
The question is, which MIME message sent to test-dbm@ripe.net does this for me?
My interpretation of the (rather brief) section "3.3.2 PGP support" in the handbook is that I need to create a MIME message with nested signatures. So, I created such a beast by hand because my mailer can't do that (see first attachment). Apparently, the robot checks the outer signature but does not recognize the inner multipart/signed content-type (see second attachment).
Unless my MIME encoding is wrong (which may well be the case :-) I must have misunderstood the mechanism.
Any help is appreciated. -- Alex ___________ SWITCH - The Swiss Academic and Research Network ___________ Alexander Gall, SWITCH, Limmatquai 138, CH-8001 Zurich, Switzerland gall@switch.ch Tel: +41 1 268 1522 Fax: +41 1 268 1568
--------------------------------------------------------------------------------
Hello Wilfried
So far, the response to my query has been, well, nil :-( Maybe I'm asking this question on the wrong list? This must have been tested before...
Cheers, Alex
Well, I guess the answers are: NO (wrong list) and WELL... (tested for all situations)
Do you want it on the WG agenda for next week?
If it's supposed to work the way I tried but doesn't, I guess so. -- Alex
Wilfried.
___________ SWITCH - The Swiss Academic and Research Network ___________ Alexander Gall, SWITCH, Limmatquai 138, CH-8001 Zurich, Switzerland gall@switch.ch Tel: +41 1 268 1522 Fax: +41 1 268 1568
Hello
I've been playing around with PGP authentication and irt objects in the test database and ran into the following problem.
The relevant objects are
mntner: SWITCH-MNT irt: IRT-SWITCH inetnum: 130.59.0.0 - 130.59.255.255 key-cert: PGPKEY-C3BA4795 key-cert: PGPKEY-82146071
They are all protected by SWITCH-MNT, which has a single auth attribute pointing to PGPKEY-C3BA4795. Updates signed with this key work fine.
IRT-SWITCH has the attribute auth: PGPKEY-82146071.
What I would like to do is to add mnt-irt: IRT-SWITCH to the inetnum object. If I understood correctly, I have to sign that update with two keys: with key C3BA4795 because the inetnum is protected by SWITCH-MNT and with 82146071 because a new reference to an irt object needs to be signed by the key referenced in the irt's auth attribute.
The question is, which MIME message sent to test-dbm@ripe.net does this for me?
My interpretation of the (rather brief) section "3.3.2 PGP support" in the handbook is that I need to create a MIME message with nested signatures. So, I created such a beast by hand because my mailer can't do that (see first attachment). Apparently, the robot checks the outer signature but does not recognize the inner multipart/signed content-type (see second attachment).
Unless my MIME encoding is wrong (which may well be the case :-) I must have misunderstood the mechanism.
Any help is appreciated. -- Alex ___________ SWITCH - The Swiss Academic and Research Network ___________ Alexander Gall, SWITCH, Limmatquai 138, CH-8001 Zurich, Switzerland gall@switch.ch Tel: +41 1 268 1522 Fax: +41 1 268 1568
--------------------------------------------------------------------------------
Dear Alex, colleagues, Alexander Gall wrote:
Hello Wilfried
So far, the response to my query has been, well, nil :-( Maybe I'm asking this question on the wrong list? This must have been tested before...
Sorry for the delay in answering, we are looking into it and will let you know where is the problem. However, may I suggest that you direct specific problems to: - regarding RIPE DB operations (problems with updates, etc.) to ripe-dbm@ripe.net - regarding RIPE DB software (installation. bug reports, etc.) directly to the development team at dbrip@ripe.net. That will let us address the problem in a more timely manner. Thanks, Andrei Robachevsky DB Group Manager RIPE NCC
Cheers, Alex
Well, I guess the answers are: NO (wrong list) and WELL... (tested for all situations)
Do you want it on the WG agenda for next week?
If it's supposed to work the way I tried but doesn't, I guess so.
-- Alex
Wilfried.
___________ SWITCH - The Swiss Academic and Research Network ___________ Alexander Gall, SWITCH, Limmatquai 138, CH-8001 Zurich, Switzerland gall@switch.ch Tel: +41 1 268 1522 Fax: +41 1 268 1568
Hello
I've been playing around with PGP authentication and irt objects in the test database and ran into the following problem.
The relevant objects are
mntner: SWITCH-MNT irt: IRT-SWITCH inetnum: 130.59.0.0 - 130.59.255.255 key-cert: PGPKEY-C3BA4795 key-cert: PGPKEY-82146071
They are all protected by SWITCH-MNT, which has a single auth attribute pointing to PGPKEY-C3BA4795. Updates signed with this key work fine.
IRT-SWITCH has the attribute auth: PGPKEY-82146071.
What I would like to do is to add mnt-irt: IRT-SWITCH to the inetnum object. If I understood correctly, I have to sign that update with two keys: with key C3BA4795 because the inetnum is protected by SWITCH-MNT and with 82146071 because a new reference to an irt object needs to be signed by the key referenced in the irt's auth attribute.
The question is, which MIME message sent to test-dbm@ripe.net does this for me?
My interpretation of the (rather brief) section "3.3.2 PGP support" in the handbook is that I need to create a MIME message with nested signatures. So, I created such a beast by hand because my mailer can't do that (see first attachment). Apparently, the robot checks the outer signature but does not recognize the inner multipart/signed content-type (see second attachment).
Unless my MIME encoding is wrong (which may well be the case :-) I must have misunderstood the mechanism.
Any help is appreciated. -- Alex ___________ SWITCH - The Swiss Academic and Research Network ___________ Alexander Gall, SWITCH, Limmatquai 138, CH-8001 Zurich, Switzerland gall@switch.ch Tel: +41 1 268 1522 Fax: +41 1 268 1568
--------------------------------------------------------------------------------
-- Andrei
participants (3)
-
Alexander Gall
-
Andrei Robachevsky
-
Wilfried Woeber, UniVie/ACOnet