All,

I'm an admitted security gumbie, but I do have some questions regarding the 
download security mechanisms on the struts site.  Note, they are pretty much 
similar to those found on other similar sites so I'm not picking on anyone.  In 
fact, I just want someone to explain to me how it all works. 

I just downloaded the struts 2 source code.  I also downloaded the KEYS, 
initialized my keystore ( GPG ), and then verified the download.  It tells me 
that one of the signuatres is GOOD, which I assume means that the download's 
signature matches one of the signatures from my new keystore/db, Ted Husted's 
in this case.  Then it goes on to tell me that the signature's authenticity ( 
right word? ) is not necessarily known.  In other, words this might not 
actually be T.H. who signed the thing.  Output from signing follows at end of 
this message.

So, as I understand all this cryptography stuff, this all means that since we 
didn't download the keys in a secure method, and since they aren't in 
certificates, we can match the keys we have to the signatures we get, but its 
all kind of on a shakey foundation since the original keystore could have been 
built on malicious keys.  This is similar to getting a SSH login to a remote 
host for which you have not obtained a key through a secure method prior to 
starting the current session: SSH lets you go ahead and just pull the key over 
at that time, and go on if you wish.    

My question is:  Is this accepted as good enough?  I'm not saying it isn't, I 
just asking if this is supposed to be good enough?  Or is it just too difficult 
to do something more?  

:~/Desktop $ gpg --verify struts-2.0.1-src.zip.asc
gpg: Signature made Tue 10 Oct 2006 04:41:51 PM MDT using DSA key ID C969F74A
gpg: Good signature from "Ted Husted (Release Manager) <[EMAIL PROTECTED]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: B1B6 016C 356A 70F3 E9B8  DACA 1ADC E843 C969 F74A


_______________________________________________
Join Excite! - http://www.excite.com
The most personalized portal on the Web!



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to