PGP authentication and mntner objects
Using PGP keys in mntner objects
To use PGP authentication to authorize changes to objects protected by your mntner object, you must:
1. Create a PGP key
Don’t have PGP software installed on your system?
|Download from International PGP|
2. Register the public PGP key in the APNIC Whois Database
- Create a ‘key-cert’ object in the APNIC Whois Database to hold your public PGP key
- Place your public key in the certif attribute.
The object template includes information on how to complete the attribute values.
Status Instance Search Status key-cert: [mandatory] [single] [primary/lookup key] method: [generated] [single] [ ] owner: [generated] [multiple] [ ] fingerpr: [generated] [single] [ ] certif: [mandatory] [multiple] [ ] remarks: [optional] [multiple] [ ] notify: [optional] [multiple] [inverse key] admin-c: [optional] [multiple] [inverse key] tech-c: [optional] [multiple] [inverse key] mnt-by: [mandatory] [multiple] [inverse key] changed: [mandatory] [multiple] [ ] source: [mandatory] [single] [ ]
3. Place the name of the key-cert object in the auth attribute of your mntner object
- If you are creating a new mntner object, send the completed mntner object to email@example.com
- If you are updating an existing mntner object, you must include the authorization method specified in the earlier version of the object to update the auth attribute. Then send
the completed object to firstname.lastname@example.org
Using PGP keys to sign database updates
To send PGP signed updates to the APNIC Whois Database, sign the body of the message which contains the updates. Remember to use ASCII armoring.
- Multiple PGP-signed and non-signed parts can be supplied in a single update message; each part gets processed separately.
- You can supply several objects which are protected by different PGP keys in a single update message, but you cannot use any ”magic” references like AUTO-1 nic-handles between these parts.
Also, the software doesn’t currently support recursive PGP decoding. If you sign an already signed message, only the outermost PGP block gets checked.
- PGP parts with invalid signatures are rejected in all cases, even if the object is not protected by PGP authentication.