httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r1011384 - in /websites/staging/httpd/trunk/content: ./ dev/verification.html
Date Sat, 29 Apr 2017 14:36:53 GMT
Author: buildbot
Date: Sat Apr 29 14:36:53 2017
New Revision: 1011384

Log:
Staging update by buildbot for httpd

Modified:
    websites/staging/httpd/trunk/content/   (props changed)
    websites/staging/httpd/trunk/content/dev/verification.html

Propchange: websites/staging/httpd/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Sat Apr 29 14:36:53 2017
@@ -1 +1 @@
-1793202
+1793205

Modified: websites/staging/httpd/trunk/content/dev/verification.html
==============================================================================
--- websites/staging/httpd/trunk/content/dev/verification.html (original)
+++ websites/staging/httpd/trunk/content/dev/verification.html Sat Apr 29 14:36:53 2017
@@ -147,7 +147,7 @@ together, so you should be able to conne
 </pre></div>
 
 
-<p>In this example, you have now received two public keys for an entity known
+<p>In this example, you have now received two public keys for entities known
 as 'Jim Jagielski &lt;jim@apache.org&gt;' However, you have no way of
 verifying whether these keys were created by the person known as Jim
 Jagielski whose email address is claimed.  In fact, one of them is
@@ -182,27 +182,21 @@ Then, if you tried to verify the signatu
 would succeed because the key was not the 'real' key. Therefore, you need
 to validate the authenticity of this key.</p>
 <h1 id="Validating">Validating Authenticity of a Key<a class="headerlink" href="#Validating"
title="Permanent link">&para;</a></h1>
-<p>There are two ways to validate Jim's key.  The really secure way
+<p>The crucial step to validation is to confirm the key fingerprint of the
+public key.  We saw the fingerprint when we verified the download: it's
+A93D 62EC C3C8 EA12 DB22  0EC9 34EA 76E6 7914 85A8</p>
+<p>There are two ways to validate Jim's fingerprint.  The really secure way
 (described below) is using the PGP "Web of Trust", which will give
 you a cryptographically-strong chain of trust to Jim's key.
 However, if you are new to PGP, this takes some time and effort.
 A shortcut to a reasonable level of security is to check Jim's
 fingerprint (using https, not http) against the database maintained
 by the Apache foundation of Apache developers' fingerprints at
-https://people.apache.org/keys/committer/</p>
-<p>The crucial step to validation is to confirm the key fingerprint of the
-public key.</p>
-<div class="codehilite"><pre><span class="c">% gpg --fingerprint 791485A8</span>
-<span class="n">pub</span>   4096<span class="n">R</span><span
class="o">/</span>791485<span class="n">A8</span> 2010<span class="o">-</span>11<span
class="o">-</span>04 2002<span class="o">-</span>04<span class="o">-</span>10

-      <span class="n">Key</span> <span class="n">fingerprint</span>
<span class="p">=</span> <span class="n">A93D</span> 62<span class="n">EC</span>
<span class="n">C3C8</span> <span class="n">EA12</span> <span class="n">DB22</span>
 0<span class="n">EC9</span> 34<span class="n">EA</span> 76<span
class="n">E6</span> 7914 85<span class="n">A8</span>
-<span class="n">uid</span>                  <span class="n">Jim</span>
<span class="n">Jagielski</span> <span class="p">(</span><span
class="n">Release</span> <span class="n">Signing</span> <span class="n">Key</span><span
class="p">)</span> <span class="o">&lt;</span><span class="n">jim</span><span
class="p">@</span><span class="n">apache</span><span class="p">.</span><span
class="n">org</span><span class="o">&gt;</span>
-<span class="n">uid</span>                  <span class="n">Jim</span>
<span class="n">Jagielski</span> <span class="o">&lt;</span><span
class="n">jim</span><span class="p">@</span><span class="n">jimjag</span><span
class="p">.</span><span class="n">com</span><span class="o">&gt;</span>
-<span class="n">uid</span>                  <span class="n">Jim</span>
<span class="n">Jagielski</span> <span class="o">&lt;</span><span
class="n">jim</span><span class="p">@</span><span class="n">jaguNET</span><span
class="p">.</span><span class="n">com</span><span class="o">&gt;</span>
-<span class="n">uid</span>                  <span class="n">Jim</span>
<span class="n">Jagielski</span> <span class="o">&lt;</span><span
class="n">jimjag</span><span class="p">@</span><span class="n">gmail</span><span
class="p">.</span><span class="n">com</span><span class="o">&gt;</span>
-<span class="n">sub</span>   4096<span class="n">R</span><span
class="o">/</span>9<span class="n">B6D9BF7</span> 2010<span class="o">-</span>11<span
class="o">-</span>04
-</pre></div>
-
-
+https://people.apache.org/keys/committer/ .
+Note that this shortcut fails catastrophically if the Apache website is
+ever compromised, or if an imposter breaks HTTPS security by obtaining
+a fake certificate and impersonates the site.  Be sure to keep an eye
+on the techie press for news stories of any such event!</p>
 <p>A good start to validating a key is by face-to-face communication with
 multiple government-issued photo identification confirmations. However,
 each person is free to have their own standards for determining the



Mime
View raw message