Return-Path:
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
by cust-asf2.ponee.io (Postfix) with ESMTP id B2D64200C65
for ; Sat, 29 Apr 2017 16:36:55 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
id B166C160BA9; Sat, 29 Apr 2017 14:36:55 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
by cust-asf.ponee.io (Postfix) with SMTP id 03FAD160BA0
for ; Sat, 29 Apr 2017 16:36:54 +0200 (CEST)
Received: (qmail 9556 invoked by uid 500); 29 Apr 2017 14:36:54 -0000
Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help:
list-unsubscribe:
List-Post:
List-Id:
Delivered-To: mailing list cvs@httpd.apache.org
Received: (qmail 9547 invoked by uid 99); 29 Apr 2017 14:36:54 -0000
Received: from Unknown (HELO svn01-us-west.apache.org) (209.188.14.144)
by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 29 Apr 2017 14:36:54 +0000
Received: from svn01-us-west.apache.org (localhost [127.0.0.1])
by svn01-us-west.apache.org (ASF Mail Server at svn01-us-west.apache.org) with ESMTP id 9F1C83A1965
for ; Sat, 29 Apr 2017 14:36:53 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r1011384 - in /websites/staging/httpd/trunk/content: ./
dev/verification.html
Date: Sat, 29 Apr 2017 14:36:53 -0000
To: cvs@httpd.apache.org
From: buildbot@apache.org
X-Mailer: svnmailer-1.0.9
Message-Id: <20170429143653.9F1C83A1965@svn01-us-west.apache.org>
archived-at: Sat, 29 Apr 2017 14:36:55 -0000
Author: buildbot
Date: Sat Apr 29 14:36:53 2017
New Revision: 1011384
Log:
Staging update by buildbot for httpd
Modified:
websites/staging/httpd/trunk/content/ (props changed)
websites/staging/httpd/trunk/content/dev/verification.html
Propchange: websites/staging/httpd/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Sat Apr 29 14:36:53 2017
@@ -1 +1 @@
-1793202
+1793205
Modified: websites/staging/httpd/trunk/content/dev/verification.html
==============================================================================
--- websites/staging/httpd/trunk/content/dev/verification.html (original)
+++ websites/staging/httpd/trunk/content/dev/verification.html Sat Apr 29 14:36:53 2017
@@ -147,7 +147,7 @@ together, so you should be able to conne
-In this example, you have now received two public keys for an entity known
+
In this example, you have now received two public keys for entities known
as 'Jim Jagielski <jim@apache.org>' However, you have no way of
verifying whether these keys were created by the person known as Jim
Jagielski whose email address is claimed. In fact, one of them is
@@ -182,27 +182,21 @@ Then, if you tried to verify the signatu
would succeed because the key was not the 'real' key. Therefore, you need
to validate the authenticity of this key.
Validating Authenticity of a Key
-There are two ways to validate Jim's key. The really secure way
+
The crucial step to validation is to confirm the key fingerprint of the
+public key. We saw the fingerprint when we verified the download: it's
+A93D 62EC C3C8 EA12 DB22 0EC9 34EA 76E6 7914 85A8
+There are two ways to validate Jim's fingerprint. The really secure way
(described below) is using the PGP "Web of Trust", which will give
you a cryptographically-strong chain of trust to Jim's key.
However, if you are new to PGP, this takes some time and effort.
A shortcut to a reasonable level of security is to check Jim's
fingerprint (using https, not http) against the database maintained
by the Apache foundation of Apache developers' fingerprints at
-https://people.apache.org/keys/committer/
-The crucial step to validation is to confirm the key fingerprint of the
-public key.
-% gpg --fingerprint 791485A8
-pub 4096R/791485A8 2010-11-04 2002-04-10
- Key fingerprint = A93D 62EC C3C8 EA12 DB22 0EC9 34EA 76E6 7914 85A8
-uid Jim Jagielski (Release Signing Key) <jim@apache.org>
-uid Jim Jagielski <jim@jimjag.com>
-uid Jim Jagielski <jim@jaguNET.com>
-uid Jim Jagielski <jimjag@gmail.com>
-sub 4096R/9B6D9BF7 2010-11-04
-
-
-
+https://people.apache.org/keys/committer/ .
+Note that this shortcut fails catastrophically if the Apache website is
+ever compromised, or if an imposter breaks HTTPS security by obtaining
+a fake certificate and impersonates the site. Be sure to keep an eye
+on the techie press for news stories of any such event!
A good start to validating a key is by face-to-face communication with
multiple government-issued photo identification confirmations. However,
each person is free to have their own standards for determining the