sadly, AFAIK this document does not exist as yet. (i have been intending to create one for quite a long time.)
please google for the theory behind these technologies but i'll try to give a brief guide. md5 is a checksum. a checksum is a numeric hash of a file. the idea is that two different files will have different checksums. you use a secure, trusted channel to learn the checksum then use the same algorithm to calculate the checksum for the file which has been obtained from an untrusted channel. if the checksum calculated matches then you can conclude that the file is identical to the one that the trusted checksum was calculated from. in ASF terms, downloading a file from a apache mirrored and an md5 checksum from an apache server and calculating the md5 sum for that file should allow you to determine whether the file you downloaded from the mirror is identical to the file that the sum placed on the apache server was calculated from. checking the md5 sum should be a good enough guarantee for the vast majority of users. if you have more stringent requirements, you might also want to check the openPGP compatible digital signature. this tells you something different: which key was used to sign the release. if you have a public key matching the private key used to sign the release then you can verify the signature of the file. this tell you whether the file is identical to the one used to create the signature. note that you can only trust this method of verification as far as you can trust the public key. unless your web of trust extends to the key in question, this method may be no more secure than the md5 sum. see http://people.apache.org/~henkp/. in terms of implementations, i use http://www.gnupg.org for the signatures, and openssl or md5sum for the sums. - robert On Sun, 2005-05-01 at 12:02 -0600, Robert Voelkerding wrote: > Please direct me to an explanation of how to use MDE and/or PGP keys to > verify downloads. > > Thank you. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
