Tool for authentication of Usenet control messages.
Original source: https://ftp.isc.org/pub/pgpcontrol/ and https://git.eyrie.org/?p=usenet/pgpcontrol.git
| PGPKEYS | ||
| pgpverify | ||
| README.html | ||
| signcontrol | ||
<HTML><!-- -*- sgml -*- -->
<HEAD>
<TITLE>Authentication of Usenet Group Changes</TITLE>
<LINK REV="made" HREF="mailto:newgroups-request@uunet.uu.net">
</HEAD>
<BODY>
<H1>Authentication of Usenet Group Changes</H1>
This document addresses a method for the authentication of the special
types of Usenet articles that are used to maintain the namespace of
Usenet groups. A basic familiarity with what the Usenet control
message types "newgroup", "rmgroup" and "checkgroups" do is assumed;
this is not a tutorial in namespace administration.
<P>
Usenet articles are notoriously easy to forge, and control messages
are no exception. Since administrators often want to have their news
systems automatically honor requests from some particular people to
add or remove newsgroups, it is risky to trust the From: and Sender:
headers to identify the real sender of a message, as has historically
been done. Thus a system using Philip Zimmerman's
<A HREF="#Getting PGP">Pretty Good Privacy</A>®
(PGP® ) was developed to provide a more secure means
of authenticating the sender of a control message.
<P>
Unlike traditional PGP authentication of messages, which just
verifies that the contents of the body of a message are unchanged from
when it was digitally "signed", this system also needed to sign a few
headers of the control message to verify the action to be taken and
to guard against certain other pitfalls. Another goal was to make the
signature as unobtrusive as possible and require minimal changes to
existing software in order to work.
<P>
<H2>How to Verify Control Messages</H2>
Listed below are the steps you need to take to enable PGP
authentication of control messages on your system.
<P>
Here is the short and simple version for someone who feels confident
hacking around the news system and doesn't like to read a lot:
<P>
<OL>
<LI>Get and configure the software:
<UL>
<LI>
<A HREF="ftp://ftp.uu.net/networking/news/misc/pgpcontrol/pgpverify">
ftp://ftp.uu.net/networking/news/misc/pgpcontrol/pgpverify</A>
<LI>
<A HREF="ftp://ftp.uu.net/networking/news/misc/pgpcontrol/server-patches/">
ftp://ftp.uu.net/networking/news/misc/pgpcontrol/server-patches/</A>
</UL>
<LI>Add
<A HREF="#Keys">maintainers' PGP public keys</A>
to the news system key ring.
<LI>Enable verification through the news system authorization system.
<DL>
<DT>INN:
<DD>Use the action <B>verify-<I>pgp_userid</I></B> (possibly appended
<B>=<I>logfile</I></B>) in <I>control.ctl</I>.
<DT>C News:
<DD>Use the action <B>p</B> in the fourth field of <I>controlperm</I>.
<DT>Other systems:
<DD>Sorry, not implemented yet.
</DL>
<LI>Test <I>pgpverify</I>.
If you have the news.announce.newgroups key in your key ring, run
<A HREF="ftp://ftp.uu.net/networking/news/misc/pgpcontrol/sample.control">
ftp://ftp.uu.net/networking/news/misc/pgpcontrol/sample.control</A>
through <I>pgpverify</I> on stdin. It should spit out the
string "news.announce.newgroups" on stdout.
</OL>
<P>
Here is a more verbose version of the instructions:
<P>
<OL>
<LI>
Get the software.
<P>
There are two pieces of code that will need to be added to a news
server to make use of this authentication system: a stand-alone
script that verifies an article is what it says it is, and a
patch to hook it into the news server's processing of control messages.
<P>
The stand-alone program,
<A HREF="ftp://ftp.uu.net/networking/news/misc/pgpcontrol/pgpverify">
ftp://ftp.uu.net/networking/news/misc/pgpcontrol/pgpverify</A>,
is a
<A HREF="#Getting Perl">Perl</A>
script that should work with Perl version 4 and up. (I have not tested
it with earlier versions.) It does not contain any code making it
dependent on any particular news server software.
<P>
<A HREF="ftp://ftp.uu.net/networking/news/misc/pgpcontrol/server-patches/">
ftp://ftp.uu.net/networking/news/misc/pgpcontrol/server-patches/</A>
has patches (currently "a patch" is more correct) for hooking the
system into existing news server software. Choose the one for your system
from the list below.
<P>
<UL>
<LI>
<A HREF="ftp://ftp.uu.net/networking/news/misc/pgpcontrol/server-patches/inn1.4sec/pgpcontrol.pch">
INN version 1.4sec</A>
<LI>
<A HREF="ftp://ftp.uu.net/networking/news/misc/pgpcontrol/server-patches/inn1.4unoff4/pgpcontrol.pch">
INN version 1.4unoff4</A>
<LI>
<A HREF="ftp://ftp.uu.net/networking/news/misc/pgpcontrol/server-patches/cnews-CR.G/pgpcontrol.pch">
C News version CR.G</A> (Courtesy of System Administrator
<root@hp9000.laafb.af.mil>)
</UL>
<P>
I regret that I do not have the time to develop more patches, but I
will gladly add patches for other systems to this page as they are
made available to me. The INN version 1.4sec patch will apply to
all INN "unoff" versions, albeit with a little bit of fuzz. I am not
positive what versions of C News will work with the C News CR.G
patch; if you try it with other versions, please let me know how it goes.
<P>
<LI>
Install it in your news system.
<P>
First you must ensure that the absolute paths to <I>perl</I> and to
<I>pgp</I> are correct in the first few lines of the <I>pgpverify</I>
program. No other configuration of options or pathnames should be
needed.
<P>
Next, the following steps assume, solely for the sake of making it
easy for me to write a simple recipe, that you have copied
<I>pgpverify</I> and the patch for your system to your news server as
<I>/tmp/pgpverify</I> and <I>/tmp/pgpcontrol.pch</I> respectively. I
have tried to format this so that you should be able to cut and paste
any of the lines in italics directly to your shell.
<P>
<UL>
<LI>If you are running INN:
<P>
<PRE>
cd to the executable program directory that has <I>ctlinnd</I>.
<I>mv /tmp/pgpverify pgpverify</I>
cd to the root of your INN source tree.
<I>cd site</I>
<I>patch < /tmp/pgpcontrol.pch</I>
<I>make install</I>
</PRE>
<P>
It has been reported to me that at least one AIX system has problems
with <I>patch</I> not applying the last section of
<I>parsecontrol.pch</I>. If you run AIX, double check it and apply by
manually editing, if necessary.
<P>
<LI>If you are running C News:
<P>
<PRE>
cd to the C News program directory that has <I>spacefor</I>.
<I>mv /tmp/pgpverify pgpverify</I>
cd to the root of your C News source tree.
<I>cd ctl</I>
<I>patch < /tmp/pgpcontrol.pch</I>
<I>make install</I>
</PRE>
<LI>If you are running some other system:
<P>
You're out of luck until someone writes a patch and instructions for
your system and makes it available to me for redistribution.
<P>
</UL>
<P>
<LI>
Enable verification for the hierarchies that interest you.
<P>
To verify messages, you must have a
<A HREF="#Keys">PGP public key for each signer</A>
that you wish to trust. It should be entered in a key ring that is
accessible to the user-id that runs the news system by running <I>pgp
-ka</I> on a file containing the key to add. For example, at a
site that runs the news server software as <I>news</I>, the following
command run by the <I>news</I> user-id should add the key bounded by
BEGIN and END "PGP PUBLIC KEY BLOCK" lines in the file <I>/tmp/key</I>
to the default key ring that would be used for authentication:
<PRE>
<I>pgp -ka /tmp/key</I>
</PRE>
<P>
As a general policy rule, control message signers will not use their
control message keys to introduce other keys, so when PGP asks you a
question similar to, "Would you trust this user to act as an
introducer and certify other people's public keys to you?" answer that
you would not.
<P>
After you have added the appropriate key to your key ring, you need to
tell the news software to validate the control messages received.
As implemented, the system will perform the requested action if the
message can be authenticated and it will mail the message to the news
system administrator if it cannot. Clearly there are other possible
actions that could be implemented, but I wanted to keep the patches
minimal. Future releases of the server software will probably have
increased flexibility.
<P>
<UL>
<LI>If you are running INN:
<P>
Automatic processing of control messages is handled by
<I>control.ctl</I>, which you edit in the same <I>site</I>
subdirectory where you patched <I>parsecontrol</I>.
<I>control.ctl</I> has several lines at the beginning of it that
describe the format of the file, and there is an even longer
<I>control.ctl(5)</I> manual page. To enable PGP verification in
addition to the normal authorization done by <I>control.ctl</I>, use
the action <B>verify-<I>pgp_userid</I></B> in the fourth field.
<P>For example, if you trust tale@uunet.uu.net to manage
groups in the "Big 8" hierarchies, you could have lines like these
(but don't use the backslash continuation, which I have used here for
readability; keep it all on one line):
<P>
<PRE>
newgroup:tale@uunet.uu.net:\
comp.*|humanities.*|misc.*|news.*|rec.*|sci.*|soc.*|talk.*:\
verify-news.announce.newgroups
rmgroup:tale@uunet.uu.net:\
comp.*|humanities.*|misc.*|news.*|rec.*|sci.*|soc.*|talk.*:\
verify-news.announce.newgroups
checkgroups:tale@uunet.uu.net:\
comp.*|humanities.*|misc.*|news.*|rec.*|sci.*|soc.*|talk.*:\
verify-news.announce.newgroups
</PRE>
<P>
Additionally, if you like the logging feature available with the
action <B>doit=<I>logfile</I></B>, you can get the same logging
by using <B>verify-<I>pgp_userid</I>=<I>logfile</I></B>.
<P>
<LI>If you are running C News:
<P>
Automatic processing of control messages is handled by
<I>controlperm</I>, which you edit in the subdirectory where you
patched the control message handling scripts. There is a
<I>controlperm(5)</I> manual page that describes its format. To
enable PGP verification in addition to the normal authorization done
by <I>controlperm</I>, use the action <B>p</B> in the fourth field
instead of <B>y</B>.
<P>
For example, if you trust tale@uunet.uu.net to manage groups in the
"Big 8" hierarchies, you could have lines like these:
<P>
<PRE>
comp,sci,misc,news,rec,soc,talk tale@uunet.uu.net nrc pv
</PRE>
You could then remove the line that follows the comment, "but his name
can be forged, so don't let him rmgroup..."
<P>
Note that there is no provision, with the current C News patches, for
checking that the signature matches a particular string, just that it
it has a valid signature. This is probably adequate security as long
as you keep the news user's PGP key ring limited only to people you
trust to maintain newsgroup hierarchies.
<P>
<LI> If you are running some other system:
<P>
You're out of luck until someone writes a patch and instructions for
your system and makes it available to me for redistribution.
<P>
</UL>
<P>
<LI>
Test the system.
<P>
Get
<A HREF="ftp://ftp.uu.net/networking/news/misc/pgpcontrol/sample.control">
ftp://ftp.uu.net/networking/news/misc/pgpcontrol/sample.control</A>
and save it to a file on your system; <I>/tmp/sample.control</I> will
be used for this example. You'll use it to make sure things will work
as expected.
<P>
To verify the control message, you will need the
<A HREF="#news.announce.newgroups">key for news.announce.newgroups</A>
and authorization in your news system for tale@uunet.uu.net to
automatically perform "newgroup". Go ahead and enable it for the test
even if you don't want to really allow this, because it is easy enough
to rescind after the test by editing the control message authorization
file and removing the key with <I>pgp -kr news.announce.newgroups</I>.
<P>
You can check that the <I>pgpverify</I> part of the system will work
properly simply by feeding it the sample control message on stdin:
<PRE>
pgpverify < /tmp/sample.control
</PRE>
<P>
If if could run pgp and find the correct key in the default key ring,
the string <B>news.announce.newgroups</B> should be printed. The exit
status of the script, found in most shells with the command <I>echo
$?</I> as the next command after <I>pgpverify</I>, should be 0 (zero).
<P>
If it doesn't work and you've tried and tried to figure out why,
<A HREF="mailto:tale@uunet.uu.net (David C Lawrence)">email me</A>
a complete description of the problem you are having and how you have
tried to remedy it. At a bare minimum, your mail should include a
copy of the message you are trying to verify, a typescript of the
attempted execution, and the output of <I>pgp -kc</I> and
<I>pgp -kvc news.announce.newgroups</I>.
<P>
When <I>pgpverify</I> passes its test, use the appropriate procedure
below for you news server to verify the authorization system.
<P>
<UL>
<LI>If you are running INN:
<P>
First, cd to the directory where <I>parsecontrol</I> is installed.
Then execute the following four lines, in order, as the user who owns
the news system:
<PRE>
/bin/sh
PROG=newgroup
set -- tale@uunet.uu.net "" /tmp/sample.control
(. ./parsecontrol "$@"; echo $ACTION)
</PRE>
<P>
If the message verified correctly, the <I>echo</I> command should
output <B>doit</B>; otherwise, verification failed and the output
should be <B>mail</B>.
<P>
Edit <I>/tmp/sample.control</I> and change all occurences of
<B>newusers</B> to <B>newgroups</B>. Then repeat the
<I>parsecontrol</I> and <I>echo</I> lines. This time verification
should fail.
<P>
<LI>If you are running C News:
<P>
Because of the way C News is implemented, I have not taken the trouble
to find out how it can be tested without running through the whole
<I>newgroup</I> script. If you are testing with <I>sample.control</I>,
I think this should let you know whether things will work:
<PRE>
newsflag news.announce.newusers y
newgroup news.announce.newusers moderated < /tmp/sample.control
</PRE>
<P>
(newsflag is the C News program <I>maint</I> subdirectory; newgroup is
in the <I>ctl</I> subdirectory.)
<P>
You should get a mail message telling you that news.announce.newusers
was changed to moderated. If it didn't appear to work, doublecheck
the <I>active</I> file. If it really didn't work, fix the status of
the group with the following command then let me know about.
<PRE>
newsflag news.announce.newusers y
</PRE>
<P>
If the message did verify correctly, edit <I>/tmp/sample.control</I>
and change all occurences of <B>newusers</B> to <B>newgroups</B>.
Then repeat the <I>newgroup</I> line with an <B>unmoderated</B>
argument instead of <B>moderated</B>; the argument is unused in the
PGP verification code and doing it this way saves you the effort of
<I>newsflag</I>ging things again.
<P>
With the changes to <I>sample.control</I> you should now get a mail
message saying, "authentication failed".
<P>
When you are all done, make sure news.announce.newusers is really
marked moderated in your <I>active</I> file.
<P>
<LI>If you are running some other system:
<P>
You're out of luck until someone writes a patch and instructions for
your system and makes it available to me for redistribution.
</UL>
</OL>
<H2>Frequently Asked Questions</H2>
<OL>
<H3><LI>How come this presumably valid messages doesn't check out with
pgpverify?</H3>
<UL>
<LI>You don't have the latest version of <I>pgpverify</I>, which fixed
whatever bug is causing authentication of the message to fail.
<LI>You don't have your PGP configuration files and keyrings in the
default path used by <I>pgp</I> and <B>PGPPATH</B> is not correctly
set in your environment. Either move your PGP directory to the
default location or set the <B>$ENV{'PGPPATH'}</B> line in <I>pgpverify</I>.
(Warning: some INN versions set <B>$HOME</B> to <B>_PATH_NEWSLIB</B>,
so this might be the source of your trouble.)
<LI>You don't have the correct key for the user that signed it in your
key ring.
<LI>You are using a non-English version of <I>pgp</I>, set up with
a "<B>Language</B> = " line in your PGP <I>config.txt</I> file. This
means pgpverify can't find the string it is looking for in
the <I>pgp</I> output. <I>pgpverify</I> tries to overcome a non-English
language specification by setting <B>LANGUAGE</B> in the
environment before calling <I>pgp</I>, but <I>pgp</I> overrides the
runtime environment with the <I>config.txt</I> variables.
<LI>You cut-and-pasted the message in your window system, which
converted the tab characters in the original message into spaces in
the message you are trying to decode. Having this handled completely
correctly by the signing/verifying code is harder than you might first
think.
<LI>You are running <I>pgpverify</I> on a saved
copy of the article that includes an extraneous trailing newline, such
as might be inserted by saving the message from a mail handler or news
reader, that was not present in the original message.
<LI>You cut-and-pasted the sample INN <I>control.ctl</I> lines above
and left the continuation lines in, instead of joining each group of
three physical lines comprising one logical line to just one physical line.
</UL>
</OL>
<HR><HR>
<H2><A NAME="Keys">List of PGP Public Keys for Newsgroup Administration</A></H2>
This is a list of keys known to be used for maintaining various parts
of the newsgroup namespace. They are listed alphabetically by the
hierarchies they are used for, along with the email address they are
sent by and the pgp key userid of the signature (both for use in
<I>control.ctl</I>). The group that people should follow if they are
interested in tracking announcements about the hierarchy is also
listed. The "Check also" references point to locations that should
have identical public key blocks; it is best if you confirm the block
listed here by checking against the others.
<P>
The existence of key here only means that I, David Lawrence, trust the
person who uses it to be a responsible maintainer of that particular
hierarchy of groups. You are solely responsible for deciding whether
you will use the keys here at your own site.
<P>
<A NAME="clari.net.admin"><HR></A>
<H3>clari</H3>
Control message sender:
<A HREF="mailto:clarinet@clarinet.com">cl*@clarinet.com</A><BR>
(But see
<A HREF="http://www.clari.net/tech/inn.html#signing">
http://www.clari.net/tech/inn.html#signing</A>
)<BR>
Key User ID: ClariNet.Group<BR>
Administrative group:
<A HREF="news:clari.net.admin">clari.net.admin</A><BR>
Check also:
<UL>
<LI><A HREF="http://www.clari.net/tech/clarikey.txt">
http://www.clari.net/tech/clarikey.txt</A>
</UL>
<PRE>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2
mQCNAzHhqEwAAAEEAK4YEXf3jB1ArKUs8bUMT666mjovSpCiuNGhTClxwLvSJrrB
K4n5ibvAPqAKh8T1AxqDdprDPWPdm/uGAF6/3gFHD8YFA1wU2EayYNWlQ1kvDRI7
bkmkq4QC2rtLnYpsOxwxyjTFsY1cvav+SSLziYauIlsOcHcix8rAq9eiL9vNAAUR
tA5DbGFyaU5ldC5Hcm91cA==
=xkhA
-----END PGP PUBLIC KEY BLOCK-----
</PRE>
<P>
<A NAME="news.announce.newgroups"><HR></A>
<H3>comp, humanities, misc, news, rec, sci, soc, talk</H3>
Control message sender:
<A HREF="mailto:newgroups-request@uunet.uu.net">tale@uunet.uu.net</A><BR>
Key User ID: news.announce.newgroups<BR>
Administrative group:
<A HREF="news:news.announce.newgroups">news.announce.newgroups</A><BR>
Check also:
<UL>
<LI><A HREF="ftp://ftp.uu.net/usenet/news.announce.newgroups/PGP.PUBLICKEY">
ftp://ftp.uu.net/usenet/news.announce.newgroups/PGP.PUBLICKEY</A>
<LI><A HREF="http://pgp.ai.mit.edu:11371/pks/lookup?op=get&search=0xB88DA9C1">
pgp-public-keys-beta@pgp.ai.mit.edu</A> ("Subject: GET 0xB88DA9C1", empty body)
</UL>
<PRE>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.7
mQCNAjFsLmQAAAEEAKPbDQI6oDtYJYPvYxt7I4PMxThaq51Z/5kqfW7C3dMn6vPL
d+UsXHfRzMaQXkLBR4nIaQj5OHVtbKCjVTVIMtgfgsPeh9GRSONW870S5HUTQcB7
eDhQqvvst1ZEowhTf/CX01chaxOfWq3ZPB09VVohQTmvRJn2BMJdOtO4janBAAUR
tBduZXdzLmFubm91bmNlLm5ld2dyb3Vwc4kAlQIFEDF33BHCXTrTuI2pwQEBiJQD
/1uiv20adyB2a3tzBYESEEhKtugAVHGRJQJE4Ar5PrcnovF3aNpLFumslIaAzCwP
XlCANMjFHg140IB6SgJ8W8XH15u+1cMOmqTbk0wtmVgeLOLaSMgNWt65FV4AUn7e
RZdhK8j/JKxE0a+6gKu4S0PiUDrvnCEWUPjlXiqsbnjR
=E8K8
-----END PGP PUBLIC KEY BLOCK-----
</PRE>
<P>
<A NAME="de.admin.news.announce"><HR></A>
<H3>de</H3>
Control message sender:
<A HREF="mailto:moderator@dana.de">moderator@dana.de</A><BR>
Key User ID: de.admin.news.announce<BR>
Administrative group:
<A HREF="news:de.admin.news.announce">de.admin.news.announce</A><BR>
Check also:
<UL>
<LI><A HREF="ftp://ftp.thur.de/pub/people/lutz/pgpnews/German/PGPKEYS">
ftp://ftp.thur.de/pub/people/lutz/pgpnews/German/PGPKEYS</A>
<LI><A HREF="http://pgp.ai.mit.edu/htbin/pks-extract-key.pl?op=get&search=0xD3033C99">
pgp-public-keys@pgp.ai.mit.edu</A> ("Subject: GET 0xD3033C99", empty body)
</UL>
<PRE>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2
mQCNAzGeB/YAAAEEALZ+Xfm/WDCEMXM48gK1PlKG6TkV3SLbXt4CnzpGM0tOMxsT
HjlHaU6Xco5ijAuqM1wEGUHD5hw/BL/heR5Tq+C5IEyXQQmYwkrgeVFMOz/rA3Rf
rd9aKQk1bXBxmavi9WxdXP2zxuSglc395StvmO+WxXbBCg1POnU26rXTAzyZAAUT
tBZkZS5hZG1pbi5uZXdzLmFubm91bmNliQCVAwUQMaEnw/Ki8vYA8NXpAQF7kQP/
YNaIHxaHzqQQwfcTG+ICdoiIakmainbZyyHwOYV6nG+sPlRnkPnlC9RP2I+wE91o
WrPHQLlZv1a7+VkXstmHtzW+JzzaaQGaH2+E9wOXMMI97/7GtsCfjEKWi8OZPDEE
SloZH+ibsyPXCnOb7LPUyfGuh8RK9aUAnZUEmAzi20+JAHUDBRAxn7vcfZiDsyJG
Qh0BARv+AvoCVp8UUmQ+Us5OKwGNZfLgVjOa3o9q/MMCR7eGdR3rqUiTL23YVD2s
j4/L2nBnwYF0vLkiPhhrAVO7Gq/z29D5g2vQXJdH0NHc4CAUps0Uls6w8n5Uy3Xu
fB4DCQx/f7WJARUDBRAxngnCCdxwOTnzf10BAcKUB/9F8pyUyGKYc8I9lj3oUxe2
Piz+3DtTpBxvf3zQwylxFnWgZ9ZwuqhXmyzhBdUmGmT8xmk1jONJZyrR6P38D+h5
EduaQ2mKKa3iNgYMwv5Qzh5UCka7NLXkfylsuXOCFDNhSaY4jU4HLgI5ngL8gJJ1
7LnC5heUw6yvO8wyUyH4cW8rbv5Ov+22t/9d48x44hvcHZZ4ZOWvYh+dQGAH484t
sK7CXqvH5QYHxetUSq/p2mlEsxf0tzgEAoQ9TZ0/Ai9o5/6H7EgGRTPRLMxJd+/H
y9iJs4QRI/gCjdqcvzHj1wHtLcVWiG+qQZxIXeX/u665Qe7aSSSrGLp7QOmFnAo1
iQCVAwUQMZ4H93U26rXTAzyZAQE0IgP/dTnrrgsVLRAa5gJYVWmQgSqkXYcsVgYt
isBpaGJSW2+5ifD7vaPu9Vj4aNvqO4zyzdAoWXiqRJ/qiXgoeG7DV01tw8s197RH
IB+DQ6hLuF0IX4dtbGjpiujapwXQ0s3fcu/UuLBRv5UJtNU9hD8vGFkj9mYBzA8L
XjtwTuQVfBe0Ezxtb2RlcmF0b3JAZGFuYS5kZT6JAJUDBRAxngjIdTbqtdMDPJkB
AXQsA/96/iGcbkpEaOUdb3aQCzCDocUGCDH9UrRfjT0sjTMgAmXELdukCiMyt1KT
+vnnPqiwNRdIPD4h3Qk8U70BY6JCAAC03rOtg6EcUGn7ryH2TrvhiD0geqPcFZ1G
MkXq08qh9g9Wm9Gi8zP6VI7L1lyxuz7m3w+P1lUBDJ/EGSoPkA==
=i/Qv
-----END PGP PUBLIC KEY BLOCK-----
</PRE>
<P>
<A NAME="fr.announce.newgroups"><HR></A>
<H3>fr</H3>
Control message sender:
<A HREF="mailto:control@usenet.fr.net">control@usenet.fr.net</A><BR>
Key User ID: fr.announce.newgroups<BR>
Administrative group:
<A HREF="news:fr.announce.newgroups">fr.announce.newgroups</A><BR>
Check also:
<UL>
<LI><A HREF="http://pgp.ai.mit.edu:11371/pks/lookup?op=get&search=0x382B64FD">
pgp-public-keys-beta@pgp.ai.mit.edu</A> ("Subject: GET 0x382B64FD", empty body)
</UL>
<PRE>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2i
mQCNAzF41OMAAAEEAOnjgblNPQ+Xhnxw3K/EMz1vm2sfi2Ci/XG8HsWg2yc+hQla
fMGQbQciSDFsBK0Kmy7gNvC9c7qAsQfeqpvQqJ+3hJiUvbQIi6bj2ZOSqE58Vh80
7Y+Fx71R/AKGZ88dGbysUg1r5770aw6JP1wn6Ve29PRTdS7yasmXGhU4K2T9AAUT
tBVmci5hbm5vdW5jZS5uZXdncm91cHOJAJUDBRAxf8MhyZcaFTgrZP0BAZ0ZA/0S
nxzmcN/yI858v+80ZpWaMkO/OtdF49gCfv/yv8xrRQfdGkjLFIl+Gry/H9236MZD
rTSjb5R2PaicExO3b0tcRAAGOXyrRwc1squDdSvldko2ewQE9giZ4T1+fJRou1yO
hbwPmaOBOt2EropUpvRPfKNeu/vjdKv1GEREkhIZTQ==
=o/05
-----END PGP PUBLIC KEY BLOCK-----
</PRE>
<P>
<HR>
<H3>humanities</H3>
See the <A HREF="#news.announce.newgroups">comp</A> hierarchy entry.
<HR>
<H3>misc</H3>
See the <A HREF="#news.announce.newgroups">comp</A> hierarchy entry.
<HR>
<H3>news</H3>
See the <A HREF="#news.announce.newgroups">comp</A> hierarchy entry.
<A NAME="pgh.config"><HR></A>
<H3>pgh</H3>
Control message sender:
<A HREF="mailto:pgh-config@psc.edu">pgh-config@psc.edu</A><BR>
Key User ID: pgh.config<BR>
Administrative group:
<A HREF="news:pgh.config">pgh.config</A><BR>
<PRE>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2
mQCNAzKkdTUAAAEEAMJVCGgsorYtryCzGKYe6tTv5tgE6l4j3eKkYkdn37icoFAx
VANFdTHy/1e5GQJxMcnDV3610NQNSXE2sTc8br2IBYqbt7XkyQ48xzW6/qdARQHu
b9cp0epIKKOu/4Zguxw+hkLyN4leziO1ts1ThnV2Tkaixu9+BpgGy01AM7MxAAUR
tApwZ2guY29uZmlniQCVAwUQMqR1aJgGy01AM7MxAQEYbwP+MZRjtrY/wiayMehw
KSDwXZqHh1stPOu/Rh8msk7ebeq4KdnLIgLinwcWZM1v4+ktww4TO2OKXouIVKtL
YTNVLYAF3AAmHee00XFDaaZMIOsPfEwr+P4YUjLvxPfj1IEaEQXpODQTLUCqRYZ2
AupSOzmnD4HwwDt5Q5/1BosAg/c=
=mXnj
-----END PGP PUBLIC KEY BLOCK-----
</PRE>
<A NAME="pl.announce.newgroups"><HR></A>
<H3>pl</H3>
Control message sender:
<A HREF="mailto:michalj@fuw.edu.pl">michalj@*fuw.edu.pl</A>
or <A HREF="mailto:newgroup@usenet.pl">newgroup@usenet.pl</a><BR>
Key User ID: pl.announce.newgroups<BR>
Administrative group:
<A HREF="news:pl.news.admin">pl.news.admin</A><BR>
Check also:
<UL>
<LI><A HREF="http://www.ict.pwr.wroc.pl/doc/news-pl-new-site-faq.html#pgp">
http://www.ict.pwr.wroc.pl/doc/news-pl-new-site-faq.html#pgp</A>
<LI><A HREF="http://pgp.ai.mit.edu/htbin/pks-extract-key.pl?op=get&search=0x838AF8ED">
pgp-public-keys@pgp.ai.mit.edu</A> ("Subject: GET 0x838AF8ED", empty body)
</UL>
<PRE>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2i
mQCNAzGvEY4AAAEEAL8clpC5yydhkMN1ppivfj3E6EIyZtntScjuCyI+RwpvLf9o
So+FLbiMmjjCV7BNjds7c1yaDMPDFetZlqEYKof5Q0QK2bDaaou3wtnDesAXqrde
K24GURn0N2BYWR9sEFJ4bwn8fudHelFcAXPt24lI29bu6dX+LddKTteDivjtAAUR
tBVwbC5hbm5vdW5jZS5uZXdncm91cHOJAJUDBRAyc5r/10pO14OK+O0BAWq9A/0e
So5/56x6hkT0to92FUiIbcoHF6J20sa4edDXbzTHZTvNJh3K4iSBwkspMcx8AWyS
36ckftXsZP2xRTj2Dk4xgLLCcFBjPHt7q5ysa8dChkgEu8770OE5atbQZorzz757
xpOgKmjRXLVbzt680Z807jH/zOo+BRby3ZMJFtGPyrQXPGNvbnRyb2xAYWRtLnVz
ZW5ldC5wbD4=
=n+Qy
-----END PGP PUBLIC KEY BLOCK-----
</PRE>
<HR>
<H3>rec</H3>
See the <A HREF="#news.announce.newgroups">comp</A> hierarchy entry.
<HR>
<H3>sat</H3>
Control message sender:
<A HREF="mailto:satgroup@endicor.com">satgroup@endicor.com</A><BR>
Key User ID: satgroup@endicor.com<BR>
Administrative group:
<A HREF="news:sat.usenet.config">sat.usenet.config</A><BR>
Check also:
<UL>
<LI><A HREF="http://www.endicor.com/sat-faq/pubkey.asc">
send-satgroup-pubkey@endicor.com</A> (Subject: and body don't matter)
<LI><A HREF="http://pgp.ai.mit.edu:11371/pks/lookup?op=get&search=0x98690EE9">
pgp-public-keys@pgp.ai.mit.edu</A> ("Subject: GET 0x98690EE9", empty body)
</UL>
<PRE>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2
mQCNAzHtkkUAAAEEAN9sqrBBgcjuaG+mWamDYbOz0GARQhY7dli6m6c6zBaAhvZV
i2CBy4deMWF5wAWY0SPFTSeowZrkI1fCIFwBt2XRdEj8YY06BpsXYaajvD10yppg
Lx70y662p+R7pK7GAlbsaf8o/y31pzbFssJAWA8GGkFbnpRN2gv3azuYaQ7pAAUT
tDFzYXRncm91cEBlbmRpY29yLmNvbSAoc2F0LiogbmV3c2dyb3VwcyBjYXJldGFr
ZXIpiQCVAwUQMe2S+JEf2RAnz77pAQFDIgQAx4DVWloh7gABTQL1B80YDMaiN0x2
haYSCMXHdteksEbzAocqbdzxaFPC9EXdXjl7pmIIwTFcB66LGTtesIgMOhLrzJlF
LmdqHaK6fvHzBzxHSOiSu2DJcMxyT/xj/U163BUFgCspxVqjh3IoGXqWn5l7uie7
S97e+5IjWoiC1vmJAJUDBRAx7ZJjC/drO5hpDukBAdBDA/oDemhuh3iKeurUYhEF
cy50jKNJN36joVJ6tw5FhfTtxShLDpkoxzqKLHHbMTK8HXyrtz+qF8aaSKn8DIGr
27wqi3Uz1zzCfM8KHF+4ldmW7+ABPu8Ih1KhgKZ180+xmqYp1qzQJIuqKktWySOG
n8F00ZMLQvJk27tF3poaaTq39A==
=IUEe
-----END PGP PUBLIC KEY BLOCK-----
</PRE>
<P>
<HR>
<H3>sci</H3>
See the <A HREF="#news.announce.newgroups">comp</A> hierarchy entry.
<HR>
<H3>soc</H3>
See the <A HREF="#news.announce.newgroups">comp</A> hierarchy entry.
<HR>
<H3>talk</H3>
See the <A HREF="#news.announce.newgroups">comp</A> hierarchy entry.
<HR>
<H3>uk</H3>
Control message sender:
<A HREF="mailto:control@usenet.ork.uk">control@usenet.org.uk</A><BR>
Key User ID: uk.net.news.announce<BR>
Administrative group:
<A HREF="news:uk.net.news.announce.config">uk.net.news.announce.config</A><BR>
Check also:
<UL>
<LI><A HREF="http://pgp.ai.mit.edu:11371/pks/lookup?op=get&search=0x21F2F1D9">
pgp-public-keys@pgp.ai.mit.edu</A> ("Subject: GET 0x21F2F1D9", empty body)
</UL>
<PRE>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6
mQCNAjGL0cgAAAEEAJ6p7fQHn139U9zQawLixrExOUrkFhi1yLb8m8fLxmKTprKn
ZNM1nnxMSbRyO8vXohXKKs4G1U2jTpaCkSRrbCiJ5VxWB/B31E/p/vrBXqqQ2amq
3gb4Df9DZub0ZtOhHTF/pPjQmXvAv08umjZWpYlXRmUHBlBhMmOfGXkh8vHZAAUR
tBR1ay5uZXQubmV3cy5hbm5vdW5jZbQXPGNvbnRyb2xAdXNlbmV0Lm9yZy51az6J
AJUCBRAxi9UdY58ZeSHy8dkBARf4A/4pB46ZibhtdF9z1wP8nImdK6qlaNNf+Kuc
svLxwRhn6KX8aaq4xpzbVFeJFpbjaNP9bmGZtaO03qhyOkor/8lkKfkJXTeJxA90
T2rqgrY+XLm5jIK8l4NqXAgYmPm6x1hK9LQVe3EkjhxYqcDOeRQNtnLUM0OZyD2U
Pijwt1o3WYkAlQIFEDGL1FGemw5PLx059QEBje0EAKx99yOZ0zQ9FjibuEBStP8t
0BCsRNqkrVjxO513RBXecgcdXdv9hWn+8LNRZx6JLHv/ZpWsdGXqP3oiqj+LRt7W
pHnZ55He/njx5DAoPAM/TjgTk7arazSjsJuFhcTP7gHitLDoHxVkUfdLX8h4HH9L
WhEnrWEx82EY/29z/xQ6iQCVAgUQMYvTeKSiIc7jUXyJAQHLNwP/Qz+g2RRsuSZr
J9L0HAVPLcmloAEGOMFfYJDM/mvxegAYzL8i0HGFbwTH/+E94WSmsWAx1KZ/Z2DY
KdI7BUaS8c09a2OtqOEbCd7QBI37seyxG0rTWNpuE0ZXBo0eiQBg37oIW+Faf/tq
JQZnALVsV5LDKcf+6+MhgS47HWJ6ZjQ=
=SaMt
-----END PGP PUBLIC KEY BLOCK-----
</PRE>
<P>
<HR><HR>
<H2><A NAME="Signing">Signing Control Messages</A></H2>
If you are responsible for sending control messages about authorized
changes to a newsgroup hierarchy, then
<A HREF="ftp://ftp.uu.net/networking/news/misc/pgpcontrol/signcontrol">
ftp://ftp.uu.net/networking/news/misc/pgpcontrol/signcontrol</A> will
sign your control messages so that <I>pgpverify</I> can authenticate
them. It is a Perl script that requires Perl version 5 or higher to
work. It has several configuration parameters that should be reviewed
before use.
<P>
When establishing a PGP key and control message sender, please use
tokens that are not tied to a particular individual. This makes it
easier to transfer the administrative responsibility when it finally
comes time. (The all-too-common "tale@uunet.uu.net" sender is still
used for control messages because of its legacy in the installed
server base; I would prefer to use newgroups-request@uunet.uu.net.)
Please also do not sign other keys with the key that is used for
control messages.
<P>
If you will be using this script to sign control messages, please
<A HREF="mailto:tale@uunet.uu.net (David C Lawrence)">let me know</A>
the hierarchy that you are responsible for maintaining and the
information that you would like to appear in the
<A HREF="#Keys">List of PGP Public Keys for Newsgroup Administration</A>.
<HR><HR>
<H2><A NAME="Getting PGP">How to Get PGP</A></H2>
Information about obtaining PGP can be found in the
<A HREF="http://www.cis.ohio-state.edu/hypertext/faq/usenet/pgp-faq/where-is-PGP/faq.html">
Where to get the latest PGP FAQ</A>
article, posted regularly in the
<A HREF="news:alt.security.pgp">alt.security.pgp</A>
newsgroup.
<H2><A NAME="Getting Perl">How to Get Perl</A></H2>
Information about obtaining Perl can be found in the
<A HREF="http://www.cis.ohio-state.edu/hypertext/faq/usenet/perl-faq/part1/faq.html">
comp.lang.perl.* FAQ 1/5 - Availability</A>
article, posted regularly in the
<A HREF="news:comp.lang.perl.misc">comp.lang.perl.misc</A>
newsgroup.
<HR>
Last modified: 30 October 1996
<ADDRESS>
David C Lawrence<BR>
<A HREF="mailto:tale@uunet.uu.net (David C Lawrence)">
tale@uunet.uu.net</A>
</ADDRESS>
</BODY>
</HTML>