Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id B2D64200C65 for ; Sat, 29 Apr 2017 16:36:55 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id B166C160BA9; Sat, 29 Apr 2017 14:36:55 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 03FAD160BA0 for ; Sat, 29 Apr 2017 16:36:54 +0200 (CEST) Received: (qmail 9556 invoked by uid 500); 29 Apr 2017 14:36:54 -0000 Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list cvs@httpd.apache.org Received: (qmail 9547 invoked by uid 99); 29 Apr 2017 14:36:54 -0000 Received: from Unknown (HELO svn01-us-west.apache.org) (209.188.14.144) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 29 Apr 2017 14:36:54 +0000 Received: from svn01-us-west.apache.org (localhost [127.0.0.1]) by svn01-us-west.apache.org (ASF Mail Server at svn01-us-west.apache.org) with ESMTP id 9F1C83A1965 for ; Sat, 29 Apr 2017 14:36:53 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1011384 - in /websites/staging/httpd/trunk/content: ./ dev/verification.html Date: Sat, 29 Apr 2017 14:36:53 -0000 To: cvs@httpd.apache.org From: buildbot@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20170429143653.9F1C83A1965@svn01-us-west.apache.org> archived-at: Sat, 29 Apr 2017 14:36:55 -0000 Author: buildbot Date: Sat Apr 29 14:36:53 2017 New Revision: 1011384 Log: Staging update by buildbot for httpd Modified: websites/staging/httpd/trunk/content/ (props changed) websites/staging/httpd/trunk/content/dev/verification.html Propchange: websites/staging/httpd/trunk/content/ ------------------------------------------------------------------------------ --- cms:source-revision (original) +++ cms:source-revision Sat Apr 29 14:36:53 2017 @@ -1 +1 @@ -1793202 +1793205 Modified: websites/staging/httpd/trunk/content/dev/verification.html ============================================================================== --- websites/staging/httpd/trunk/content/dev/verification.html (original) +++ websites/staging/httpd/trunk/content/dev/verification.html Sat Apr 29 14:36:53 2017 @@ -147,7 +147,7 @@ together, so you should be able to conne -

In this example, you have now received two public keys for an entity known +

In this example, you have now received two public keys for entities known as 'Jim Jagielski <jim@apache.org>' However, you have no way of verifying whether these keys were created by the person known as Jim Jagielski whose email address is claimed. In fact, one of them is @@ -182,27 +182,21 @@ Then, if you tried to verify the signatu would succeed because the key was not the 'real' key. Therefore, you need to validate the authenticity of this key.

Validating Authenticity of a Key

-

There are two ways to validate Jim's key. The really secure way +

The crucial step to validation is to confirm the key fingerprint of the +public key. We saw the fingerprint when we verified the download: it's +A93D 62EC C3C8 EA12 DB22 0EC9 34EA 76E6 7914 85A8

+

There are two ways to validate Jim's fingerprint. The really secure way (described below) is using the PGP "Web of Trust", which will give you a cryptographically-strong chain of trust to Jim's key. However, if you are new to PGP, this takes some time and effort. A shortcut to a reasonable level of security is to check Jim's fingerprint (using https, not http) against the database maintained by the Apache foundation of Apache developers' fingerprints at -https://people.apache.org/keys/committer/

-

The crucial step to validation is to confirm the key fingerprint of the -public key.

-
% gpg --fingerprint 791485A8
-pub   4096R/791485A8 2010-11-04 2002-04-10 
-      Key fingerprint = A93D 62EC C3C8 EA12 DB22  0EC9 34EA 76E6 7914 85A8
-uid                  Jim Jagielski (Release Signing Key) <jim@apache.org>
-uid                  Jim Jagielski <jim@jimjag.com>
-uid                  Jim Jagielski <jim@jaguNET.com>
-uid                  Jim Jagielski <jimjag@gmail.com>
-sub   4096R/9B6D9BF7 2010-11-04
-
- - +https://people.apache.org/keys/committer/ . +Note that this shortcut fails catastrophically if the Apache website is +ever compromised, or if an imposter breaks HTTPS security by obtaining +a fake certificate and impersonates the site. Be sure to keep an eye +on the techie press for news stories of any such event!

A good start to validating a key is by face-to-face communication with multiple government-issued photo identification confirmations. However, each person is free to have their own standards for determining the