httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From n..@apache.org
Subject svn commit: r1793205 - /httpd/site/trunk/content/dev/verification.mdtext
Date Sat, 29 Apr 2017 14:36:48 GMT
Author: niq
Date: Sat Apr 29 14:36:48 2017
New Revision: 1793205

URL: http://svn.apache.org/viewvc?rev=1793205&view=rev
Log:
Further improve PGP verification instructions.

Modified:
    httpd/site/trunk/content/dev/verification.mdtext

Modified: httpd/site/trunk/content/dev/verification.mdtext
URL: http://svn.apache.org/viewvc/httpd/site/trunk/content/dev/verification.mdtext?rev=1793205&r1=1793204&r2=1793205&view=diff
==============================================================================
--- httpd/site/trunk/content/dev/verification.mdtext (original)
+++ httpd/site/trunk/content/dev/verification.mdtext Sat Apr 29 14:36:48 2017
@@ -60,7 +60,7 @@ together, so you should be able to conne
     gpg: Total number processed: 2
     gpg:               imported: 2  (RSA: 2)
 
-In this example, you have now received two public keys for an entity known
+In this example, you have now received two public keys for entities known
 as 'Jim Jagielski <jim@apache.org>' However, you have no way of
 verifying whether these keys were created by the person known as Jim
 Jagielski whose email address is claimed.  In fact, one of them is
@@ -98,26 +98,22 @@ to validate the authenticity of this key
 
 # Validating Authenticity of a Key # {#Validating}
 
-There are two ways to validate Jim's key.  The really secure way
+The crucial step to validation is to confirm the key fingerprint of the
+public key.  We saw the fingerprint when we verified the download: it's
+A93D 62EC C3C8 EA12 DB22  0EC9 34EA 76E6 7914 85A8
+
+There are two ways to validate Jim's fingerprint.  The really secure way
 (described below) is using the PGP "Web of Trust", which will give
 you a cryptographically-strong chain of trust to Jim's key.
 However, if you are new to PGP, this takes some time and effort.
 A shortcut to a reasonable level of security is to check Jim's
 fingerprint (using https, not http) against the database maintained
 by the Apache foundation of Apache developers' fingerprints at
-https://people.apache.org/keys/committer/
-
-The crucial step to validation is to confirm the key fingerprint of the
-public key.
-
-    % gpg --fingerprint 791485A8
-    pub   4096R/791485A8 2010-11-04 2002-04-10 
-          Key fingerprint = A93D 62EC C3C8 EA12 DB22  0EC9 34EA 76E6 7914 85A8
-    uid                  Jim Jagielski (Release Signing Key) <jim@apache.org>
-    uid                  Jim Jagielski <jim@jimjag.com>
-    uid                  Jim Jagielski <jim@jaguNET.com>
-    uid                  Jim Jagielski <jimjag@gmail.com>
-    sub   4096R/9B6D9BF7 2010-11-04
+https://people.apache.org/keys/committer/ .
+Note that this shortcut fails catastrophically if the Apache website is
+ever compromised, or if an imposter breaks HTTPS security by obtaining
+a fake certificate and impersonates the site.  Be sure to keep an eye
+on the techie press for news stories of any such event!
 
 A good start to validating a key is by face-to-face communication with
 multiple government-issued photo identification confirmations. However,



Mime
View raw message