keys, security on downloads

Google

Mailing List

Home

Forum Home

JBoss - Java Application Server

Tomcat - JSP/Servlet container

Struts - A MVC web framework

iText - An open source PDF Java Library

JDOM - JDOM XML Parser

J2EE - A mailing list for Java(tm) 2 Platform, Enterprise Edition

JSP - A mailing list about Java Server Pages specification and reference

J2EE Pattern - An interest list for Sun Java Center J2EE Pattern Catalog

Servlet - A mailing list for discussion about Sun Microsystem's Java Servlet API Technology

Struts & Hibernate

Subjects

•	JSP editor plugin for eclipse ?
•	org apache jasper JasperException: Unable to compile class for JSP
•	Tomcat: Connection reset by peer: socket write error
•	Cannot retrieve definition for form bean null
•	Struts Tiles Tutorial (free Struts training)
•	Where do I download Tomcat 4 0 6?
•	Data Access Object (DAO) pattern, example DAO 's
•	Where to download Tomcat v 4 1 24 from?
•	Tomcat 5 0 16 Requested resource not available
•	Oracle Connection Pooling in 3 2 2
•	Servlet : Session invalidate
•	Servlet action is currently unavailable
•	Tomcat/Struts Unicode Encoding/Decoding problems
•	Tomcat and webapplication specific java library path
•	Running a Simple JMS Example
•	Mapping in workers2 properties
•	org apache jasper JasperException
•	Cannot find message resources under key org apache struts action MESSAGE
•	problem with html:text bean throwing exception
•	Cannot find message resources under key org apache struts action MESSAGE
•	invalid direct reference problem with solution
•	Tool for jsp debug Try Sysdeo Eclipse Plugin
•	Tomcat 5 Cannot load JDBC driver class 'null ' SQL state: null
•	weblogic ejbc
•	java properties file
•	Jboss 3 2 3 Coyote Can 't re
•	Tomcat 5, Apache2 and mod jk2 integration problem
•	JBoss example problem new to J2EE
•	url string for connecting jboss to oracle
•	Value attribute of <html:checkbox
•	javax servlet ServletException: BeanUtils populate
•	HTTP Status 404 The requested resource is not available
•	5 0 18: Windows XP Pro vs Windows 2000

keys, security on downloads

keys, security on downloads

2007-01-30 - By Bob

Back

All,

I'm an admitted security gumbie, but I do have some questions regarding the
download security mechanisms on the struts site. Note, they are pretty much
similar to those found on other similar sites so I'm not picking on anyone. In
fact, I just want someone to explain to me how it all works.

I just downloaded the struts 2 source code. I also downloaded the KEYS,
initialized my keystore ( GPG ), and then verified the download. It tells me
that one of the signuatres is GOOD, which I assume means that the download's
signature matches one of the signatures from my new keystore/db, Ted Husted's
in this case. Then it goes on to tell me that the signature's authenticity (
right word? ) is not necessarily known. In other, words this might not
actually be T.H. who signed the thing. Output from signing follows at end of
this message.

So, as I understand all this cryptography stuff, this all means that since we
didn't download the keys in a secure method, and since they aren't in
certificates, we can match the keys we have to the signatures we get, but its
all kind of on a shakey foundation since the original keystore could have been
built on malicious keys. This is similar to getting a SSH login to a remote
host for which you have not obtained a key through a secure method prior to
starting the current session: SSH lets you go ahead and just pull the key over
at that time, and go on if you wish.

My question is: Is this accepted as good enough? I'm not saying it isn't, I
just asking if this is supposed to be good enough? Or is it just too difficult
to do something more?

:~/Desktop $ gpg --verify struts-2 (See http://uts-2.ora-code.com).0.1-src.zip.asc
gpg: Signature made Tue 10 Oct 2006 04:41:51 PM MDT using DSA key ID C969F74A
gpg: Good signature from "Ted Husted (Release Manager) <husted@(protected)>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: B1B6 016C 356A 70F3 E9B8 DACA 1ADC E843 C969 F74A

__ ____ ____ ____ ____ ____ ____ ____ ____ ____
Join Excite! - http://www.excite.com
The most personalized portal on the Web!

-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ------
To unsubscribe, e-mail: user-unsubscribe@(protected)
For additional commands, e-mail: user-help@(protected)