NON-MEMBERS TAG HOLDERS MEMBERS
- About PGP
- Obtaining PGP software
- Email Formats
- Command Line Version
- Windows Version
- Examples
- Replacing your PGP Key
- Upgrading PGP Software (or copying the keys to other machines)
The following procedure should be used to set up a PGP (Pretty Good Privacy) Key once you have obtained your Tag.
After you have completed the Tag Application Form you will be sent a Tag Holders Agreement that will need to be signed and returned to Nominet. The Tag Holders Agreement schedule will contain details of your assigned Tag Name. The assigned Tag Name is usually an abbreviation of your Company Name or Trading Name, and is represented in Capital letters with no blank spaces.
"PGP - Pretty Good Privacy- is a freely available encryption program written by Phil Zimmerman which provides individuals with the kind of strong cryptography that has, in the past, been available only to the military, intelligence agencies, and large corporations.
You can use PGP to encrypt your files and electronic mail. You can also use PGP to "sign" documents with a tamper-proof digital signature, proving that you wrote these documents and that they weren't modified during transmission."
PGP: Pretty Good Privacy, Simson Garfinkel, 1995 O'Reilly & Associates, Inc.
There are two versions of the PGP software, Command line and Windows based. Please make sure that the version that you choose is capable of generating and supporting Rivest, Shamir & Adleman (RSA) or DSS/Diffie Hellman key types.
There are many distributors that are able to supply PGP software, many software vendors and downloads are available on line.
Please be aware that it is your responsibility to license your version of the PGP software. For the purpose of licensing, using PGP with the Nominet Automaton counts as commercial usage.
PGP software can be downloaded from the following sites:
Installation instructions are available on the individual download sites and also in the helpfiles.
Please make sure that your send mail settings/formats in your email client are in Plain Text and uuencode/US ASCII not HTML or MIME as this will corrupt the PGP. Please also make sure that the Line Wrapping is either deselected or set to the maximum column length, which is usually 132.
Once you have signed a message nothing within the ASCII Armor lines should be altered in anyway otherwise PGP will consider the message to be corrupted.
The most commonly used command line version is 2.6.3i, however there are later versions that allow access to the command line prompt. The following instructions are for version 2.6.3i.
- Generate a key using the command:
pgp -kg 1024
When prompted for the User ID, enter your Tag Name in upper case (ignore a prompt to enter a name and e-mail address); the size should be 1024 bits. You will be asked for a PASSPHRASE, this is case sensitive and you will need to enter this passphrase every time you use the PGP software so do not forget it.
- Verifying your Public key:
Once you have the key you will need to extract an ASCII version of it using the command:
pgp -kxa -u <user id>
This will place an ASCII version of the public key into a file, the contents of which should be sent to: pgp@nic.uk with a subject line of;
<tagname> Public Key <telephone number>
Do not attach the file to an e-mail message, but rather paste the ASCII key block into the body of the message.
- A member of the PGP team at Nominet will contact you by telephone within two working days to confirm your fingerprint (consisting of 16 pairs of hexadecimal values) - this can be displayed using the command
pgp -kvc <user id>
Once your fingerprint is validated, your PGP key will be added to the Nominet key ring.
- Next, please produce a signed test message by generating a file containing some text (e.g. test message from <tagname>) and running the command:
pgp -sta -u <user id> <filename>
Once you have entered your passphrase the output file will be <filename>.asc, please open this file and then paste the content into an email and send it to: pgp@nic.uk with a subject line of ;
<tagname> test message.
- The PGP team will check the contents against the key and send back a message confirming that you are able to submit PGP-signed requests to the Automaton; alternatively the team will report any problems back to you.
pgp -h
Once you have had confirmation that your Tag and PGP Key are active you will need to copy the templates and familiarize yourself with the procedures involved with using the Automaton.
- When you have installed the PGP software you should notice some extra items on your desktop and email client, such as the email plug-ins and the shortcuts via the PGP Tray.
- To generate a new PGP Key go into the PGP Keys and select 'keys'- 'new keys'. This opens a Key Generation Wizard, please follow the instructions below:
- Full Name: Tag Name (all in upper case).
- Email Address: Do NOT enter one - proceed without one.
- Key Pair Type: RSA.
- Key Pair Size: 1024 bits.
- Passphrase: This is entirely up to you to choose a passphrase or password, it will be case sensitive and you will need to use this every time you use PGP so do not forget it.
- You do not need to select 'send my key to the root server now'.
- FINISH
(If you have downloaded a freeware version you may have a selection of keys with email address already, please delete these after you have generated your key).
- Once you have generated the key you will need to extract an ASCII version of it. This is done by selecting your key with the right mouse button and select 'copy'. This will place an ASCII version of the public key onto the clipboard, the contents of which should be 'pasted' onto the body of email and sent to: pgp@nic.uk, with a subject line of;
<tagname> Public Key <telephone number>
Do not attach the file to an e-mail message, but rather paste the ASCII key block into the body of the message.
- A member of the PGP team at Nominet will contact you by telephone within two working days to confirm your fingerprint (consisting of 16 pairs of hexadecimal values) - this can be displayed from the 'key properties' within the PGP Keys (available by right-clicking on your key). Once your fingerprint is validated, your PGP key will be added to the key ring.
- Producing a signed test message will depend on which tool/short-cut you choose. Please note that Nominet only uses the 'sign' functionality of PGP, so please do not use 'encryption'.
5.1. Email Plug-in: make sure that you have your RSA key set as the default signing key and to 'sign on send' - no detached signatures. Open a new email in the correct send mail formats and enter some text (e.g. test message from <tagname>). Send this to pgp@nic.uk with a subject line of '<tagname> test message'. You will then need to enter your PGP passphrase, your email will be signed and sent.
5.2. PGP Tools: generate the text (e.g. test message from <tagname>) in a plain text editor such as 'note pad', save this as test.txt. From the PGP Tools select 'sign' and then when prompted enter your passphrase. You will then have an output file called test.asc, open this in 'note pad' and copy the entire contents of this file into a correctly formatted email. Send this email to pgp@nic.uk with a subject line of '<tagname> test message'.
5.3. PGP Tray: To open this shortcut launch 'PGP Trays' from the Program Menu. This will then open a Padlock symbol in the right hand corner of you screen. Open a plain text editor such as 'note pad' and create some text (e.g. test message from <tagname>) then select and copy the text. From the PGP Tray select 'clipboard' and then select 'sign'. When prompted enter your passphrase. Then open a new correctly formatted email and select paste, this will the paste the content of the clipboard into the email. Please send this to pgp@nic.uk with a subject line of '<tagname> test message'.
Please familiarise yourself with the PGP descriptions and functionality as detailed in the help files.
Once you have had confirmation that your Tag and PGP Key are active you will need to copy the templates and familiarize yourself with the procedures involved with using the Automaton.
1. Example of a PGP Public Key Block.
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP 6.5.3 mQCNAzoU9PEAAAEEANxbXv9K7/bvZZYAFXTE5rOZx2PrjbATcw0b8eRDSZxYQKhw HupChsPngUyaXFL2xqy+66UiHAfoaHWtNAh3F3/uhbOKzKnGDEIfhjrSI/H261JXMvc0Ih ctFrnOD4LxoZ2L/AFTMTGXRJ9Q6MdSfXyy956i2GeD4semJO5mY/FzyIu/KlAAUR tAZFTUlMSUWhv328UB87HDmR1Rdx6FPTxZj8XPIi78qUBAWf4BADQ6KcZZCFB3ZFCfN jG494hIDy7rtp1rpdiXxHmzInhD1Cg5cy6JIMNuHwHqATER8R9L18i3UPwyCgODJI7AeX1 cyWKZvcOpJCXKIG3aez2fCViuI/NVt7duIP4lqp+nuSPrI3Br3+xYj7yrh8kA6UI HTVklHuCurw55aBwrDaO+Q== =EGzQ -----END PGP PUBLIC KEY BLOCK-----
2. Example of a test message.
-----BEGIN PGP SIGNED MESSAGE----- This is a test message from <YOUR TAG NAME> -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.3 iQCVAwUBOiPOPWY/FzyIu/KlAQE1tAP/Rfnp89PRWlnLXeBNGqcKZ7ErGaLkwY4H 4yjPpS7Gkz8RxoX4lNqpZN6UXe0xYpRCby6PGqxsq6wIZ9/Wl+XN+rqCt/SdQUzG t6yakGE9d4d3zNpdWRAItY7Yi+gIAEM7zXb7Rvi9CwrJkltVpCXZKngmB5CMgqTN c1Q1I7U8ls0= =Usoj -----END PGP SIGNATURE-----
It is possible to replace your PGP key, for example if you forget your passphrase or lose your keys due to computer failure. Please note that it is also possible to copy your key pair onto multiple machines if necessary (see below), but it is not possible to operate multiple keys under the same Tag.
You will need to generate a new PGP key and email the Public Key Block to pgp@nic.uk with a subject line of '<tagname> Replacement Key'. Please also make sure that you include your contact details in the email.
You will also need to send a signed fax on your full company letterhead stating that you require that "the current PGP key of <tagname> is removed and replaced". Fax Number is +44 (0) 1865 332288.
You will then be telephoned to confirm the key fingerprint once both the fax and the PGP Public key block have been received, verified and authorised.
When the PGP Team has confirmed that your key has been replaced, on the following working day the Automaton will acknowledge and allow the use of your new PGP key.
Upgrading PGP Software (or copying the keys to other machines)
You should have a back up copy made of the key pair (the Public and Private key blocks).
From Windows:
Select your key and go to 'keys' select 'Export'. There will be a check box in this window to 'Include Private Key(s)' please make sure that you select this box and then save the ASCII version to disk. To 'Import' the keys you just need to select 'Import', the keys will be Invalid and Untrusted until you have checked the 'Implicit Trust' box.
From the Command Line:
Extract the ASCII version of the public and private key blocks and save them to disk by using the commands:
For version 2.6.3i -
pgp -kxa <userid> secring.pgp
pgp -kxa <userid> pubring.pgp
For version 5.5.3i and up -
pgp -kxa <userid> pubring.skr
pgp -kxa <userid> secring.skr
If you would like to check that you have successfully imported the keys please send a signed test message to pgp@nic.uk with the subject line of '<tagname> new installation test'. The PGP Team will then send you back the validation results.
