Merge remote-tracking branch 'origin/master'

Conflicts:
	public/blog/atom.xml
	public/blog/gems-signed-with-rubygems-openpgp.html

config/jekyll/_posts/2013-03-14-ca-exploited-by-uber-hacker-havenwood.markdown

@@ -73,6 +73,64 @@ against Havenwood's key.  Any attempt to install software signed by
 this key with the `--trust` option would now fail as the key will no
 longer be trusted.
 
+Example
+-------
+
+(This example assumes you've already trusted our keys as described in
+[The Complete Guide to Signing the Certificate Authority Keys](/blog/the-complete-guide-to-signing-the-certificate-authority-keys.html).)
+
+Get Havenwood's key and examine the signatures:
+
+    gpg --keyserver pool.sks-keyservers.net --recv-key 0x50DBC4B4
+    gpg --list-sigs 0x50DBC4B4
+
+You'll see that you have both our original signature and the
+revocation.
+
+Here's a message Havenwood signed.  Save this to a file somewhere:
+
+    -----BEGIN PGP SIGNED MESSAGE-----
+    Hash: SHA1
+
+    This is our world now... the world of the electron and the switch, the beauty of the baud.
+    -----BEGIN PGP SIGNATURE-----
+    Version: GnuPG v1.4.13 (Darwin)
+
+    iQIcBAEBAgAGBQJRR1NRAAoJEM9hVGdQ28S00hcQALyHa/3ZpmWY7jwWLoXXZbpc
+    Pd+MXuH2cmkUBx/Xaeu8FzcNL05svBoZrQn8eJNTRgYN/zD5b8G6eD3a5w4PVO3I
+    7hP0zN+WRqUBvwuJdq7Ek0cdGNOMU+jGonSCfRhTwTNDBeDWkoIxkiIl+04BmSAD
+    7kBaHZu0vWbHjWEJkAM26KaE3r/bVYTojVO0D8RKdJ8d6H5nyRW8F3S+b4sHmwXY
+    hEb9zz1/QkUbU9L4I3I+ag43HAw9ywsTDcWfGk5G3V7aUCWYTMfoIjuEEhQYQAHJ
+    UcJy0cuJxQtOG6gP3N/x9WSeLmVOleTrJSVuV0CsDw9lR3ALHVZJ5A8HpevKe795
+    HokoVpwjN4580qKIeRZM2eB+P6sK8CJKXxh8rAqAsgv9TrsfXD8ESKy4iqF0ZS96
+    wSj5btHLU7Jk511w8wKWLr66fPTLd6wLP/+2Iw5BWntERMPMjICP8erDzw7Lah05
+    ghiSyj2lifMqwoXe4nznAVmihEjv7tOXE45IlSBc6nBUQxtMMgTzUTuqRbumMLXf
+    W2TYVYI01Dv/KWjo+XvmLNte8irhIoePRekj/Do0BD9hzYiN6ZrxZw7sgOswo+uV
+    g+NYUof3jVa2pd7RQo1ihbp0eqrtjQbOf6ZhvbUxu3DDoNkIS8j9DK3kXecoQW1W
+    A5sPId7OoYQUlId/RprT
+    =12Qp
+    -----END PGP SIGNATURE-----
+
+Check the signature:
+
+    johnmudhead:~ grant$ gpg foo.txt.asc 
+    gpg: Signature made Mon Mar 18 13:43:33 2013 EDT using RSA key ID 50DBC4B4
+    gpg: Good signature from "Shannon Skipper (havenwood) <blah@example.com>"
+    gpg: WARNING: This key is not certified with a trusted signature!
+    gpg:          There is no indication that the signature belongs to the owner.
+    Primary key fingerprint: 06CB 6789 306C 1DC4 BEAE  ABF1 CF61 5467 50DB C4B4
+
+Note the **WARNING** lines of text.  This is because we our signature
+is no longer included in the calculations.
+
+If you ran `gem install foo --trust` against a gem signed by this key
+the operation would now because the key is once again untrusted.
+
+On the other hand, if you trusted the key by other means, for example
+because you knew Havenwood personally, the install would succeed.  Our
+revocation doesn't state anything good or bad about Havenwood other
+than the fact that you should ignore our previous certification.
+
 And that's how our revocation system works
 ------------------------------------------
 

public/blog/atom.xml

@@ -417,6 +417,66 @@ against Havenwood's key.  Any attempt to install software signed by
 this key with the <code>--trust</code> option would now fail as the key will no
 longer be trusted.</p>
 
+<h2>Example</h2>
+
+<p>(This example assumes you've already trusted our keys as described in
+<a href="/blog/the-complete-guide-to-signing-the-certificate-authority-keys.html">The Complete Guide to Signing the Certificate Authority Keys</a>.)</p>
+
+<p>Get Havenwood's key and examine the signatures:</p>
+
+<pre><code>gpg --keyserver pool.sks-keyservers.net --recv-key 0x50DBC4B4
+gpg --list-sigs 0x50DBC4B4
+</code></pre>
+
+<p>You'll see that you have both our original signature and the
+revocation.</p>
+
+<p>Here's a message Havenwood signed.  Save this to a file somewhere:</p>
+
+<pre><code>-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+This is our world now... the world of the electron and the switch, the beauty of the baud.
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.13 (Darwin)
+
+iQIcBAEBAgAGBQJRR1NRAAoJEM9hVGdQ28S00hcQALyHa/3ZpmWY7jwWLoXXZbpc
+Pd+MXuH2cmkUBx/Xaeu8FzcNL05svBoZrQn8eJNTRgYN/zD5b8G6eD3a5w4PVO3I
+7hP0zN+WRqUBvwuJdq7Ek0cdGNOMU+jGonSCfRhTwTNDBeDWkoIxkiIl+04BmSAD
+7kBaHZu0vWbHjWEJkAM26KaE3r/bVYTojVO0D8RKdJ8d6H5nyRW8F3S+b4sHmwXY
+hEb9zz1/QkUbU9L4I3I+ag43HAw9ywsTDcWfGk5G3V7aUCWYTMfoIjuEEhQYQAHJ
+UcJy0cuJxQtOG6gP3N/x9WSeLmVOleTrJSVuV0CsDw9lR3ALHVZJ5A8HpevKe795
+HokoVpwjN4580qKIeRZM2eB+P6sK8CJKXxh8rAqAsgv9TrsfXD8ESKy4iqF0ZS96
+wSj5btHLU7Jk511w8wKWLr66fPTLd6wLP/+2Iw5BWntERMPMjICP8erDzw7Lah05
+ghiSyj2lifMqwoXe4nznAVmihEjv7tOXE45IlSBc6nBUQxtMMgTzUTuqRbumMLXf
+W2TYVYI01Dv/KWjo+XvmLNte8irhIoePRekj/Do0BD9hzYiN6ZrxZw7sgOswo+uV
+g+NYUof3jVa2pd7RQo1ihbp0eqrtjQbOf6ZhvbUxu3DDoNkIS8j9DK3kXecoQW1W
+A5sPId7OoYQUlId/RprT
+=12Qp
+-----END PGP SIGNATURE-----
+</code></pre>
+
+<p>Check the signature:</p>
+
+<pre><code>johnmudhead:~ grant$ gpg foo.txt.asc 
+gpg: Signature made Mon Mar 18 13:43:33 2013 EDT using RSA key ID 50DBC4B4
+gpg: Good signature from "Shannon Skipper (havenwood) <blah@example.com>"
+gpg: WARNING: This key is not certified with a trusted signature!
+gpg:          There is no indication that the signature belongs to the owner.
+Primary key fingerprint: 06CB 6789 306C 1DC4 BEAE  ABF1 CF61 5467 50DB C4B4
+</code></pre>
+
+<p>Note the <strong>WARNING</strong> lines of text.  This is because we our signature
+is no longer included in the calculations.</p>
+
+<p>If you ran <code>gem install foo --trust</code> against a gem signed by this key
+the operation would now because the key is once again untrusted.</p>
+
+<p>On the other hand, if you trusted the key by other means, for example
+because you knew Havenwood personally, the install would succeed.  Our
+revocation doesn't state anything good or bad about Havenwood other
+than the fact that you should ignore our previous certification.</p>
+
 <h2>And that's how our revocation system works</h2>
 
 <p>Thanks for being a good sport Havenwood.</p>

public/blog/ca-exploited-by-uber-hacker-havenwood.html

@@ -177,6 +177,66 @@ <h2>How Do Users Get the Revocation Certificate?</h2>
 this key with the <code>--trust</code> option would now fail as the key will no
 longer be trusted.</p>
 
+<h2>Example</h2>
+
+<p>(This example assumes you've already trusted our keys as described in
+<a href="/blog/the-complete-guide-to-signing-the-certificate-authority-keys.html">The Complete Guide to Signing the Certificate Authority Keys</a>.)</p>
+
+<p>Get Havenwood's key and examine the signatures:</p>
+
+<pre><code>gpg --keyserver pool.sks-keyservers.net --recv-key 0x50DBC4B4
+gpg --list-sigs 0x50DBC4B4
+</code></pre>
+
+<p>You'll see that you have both our original signature and the
+revocation.</p>
+
+<p>Here's a message Havenwood signed.  Save this to a file somewhere:</p>
+
+<pre><code>-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+This is our world now... the world of the electron and the switch, the beauty of the baud.
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.13 (Darwin)
+
+iQIcBAEBAgAGBQJRR1NRAAoJEM9hVGdQ28S00hcQALyHa/3ZpmWY7jwWLoXXZbpc
+Pd+MXuH2cmkUBx/Xaeu8FzcNL05svBoZrQn8eJNTRgYN/zD5b8G6eD3a5w4PVO3I
+7hP0zN+WRqUBvwuJdq7Ek0cdGNOMU+jGonSCfRhTwTNDBeDWkoIxkiIl+04BmSAD
+7kBaHZu0vWbHjWEJkAM26KaE3r/bVYTojVO0D8RKdJ8d6H5nyRW8F3S+b4sHmwXY
+hEb9zz1/QkUbU9L4I3I+ag43HAw9ywsTDcWfGk5G3V7aUCWYTMfoIjuEEhQYQAHJ
+UcJy0cuJxQtOG6gP3N/x9WSeLmVOleTrJSVuV0CsDw9lR3ALHVZJ5A8HpevKe795
+HokoVpwjN4580qKIeRZM2eB+P6sK8CJKXxh8rAqAsgv9TrsfXD8ESKy4iqF0ZS96
+wSj5btHLU7Jk511w8wKWLr66fPTLd6wLP/+2Iw5BWntERMPMjICP8erDzw7Lah05
+ghiSyj2lifMqwoXe4nznAVmihEjv7tOXE45IlSBc6nBUQxtMMgTzUTuqRbumMLXf
+W2TYVYI01Dv/KWjo+XvmLNte8irhIoePRekj/Do0BD9hzYiN6ZrxZw7sgOswo+uV
+g+NYUof3jVa2pd7RQo1ihbp0eqrtjQbOf6ZhvbUxu3DDoNkIS8j9DK3kXecoQW1W
+A5sPId7OoYQUlId/RprT
+=12Qp
+-----END PGP SIGNATURE-----
+</code></pre>
+
+<p>Check the signature:</p>
+
+<pre><code>johnmudhead:~ grant$ gpg foo.txt.asc 
+gpg: Signature made Mon Mar 18 13:43:33 2013 EDT using RSA key ID 50DBC4B4
+gpg: Good signature from "Shannon Skipper (havenwood) &lt;blah@example.com&gt;"
+gpg: WARNING: This key is not certified with a trusted signature!
+gpg:          There is no indication that the signature belongs to the owner.
+Primary key fingerprint: 06CB 6789 306C 1DC4 BEAE  ABF1 CF61 5467 50DB C4B4
+</code></pre>
+
+<p>Note the <strong>WARNING</strong> lines of text.  This is because we our signature
+is no longer included in the calculations.</p>
+
+<p>If you ran <code>gem install foo --trust</code> against a gem signed by this key
+the operation would now because the key is once again untrusted.</p>
+
+<p>On the other hand, if you trusted the key by other means, for example
+because you knew Havenwood personally, the install would succeed.  Our
+revocation doesn't state anything good or bad about Havenwood other
+than the fact that you should ignore our previous certification.</p>
+
 <h2>And that's how our revocation system works</h2>
 
 <p>Thanks for being a good sport Havenwood.</p>
@@ -191,7 +251,7 @@ <h2>Related Posts</h2>
 
       <li><span>24 Feb 2013</span> &raquo; <a href="/blog/the-complete-guide-to-signing-the-certificate-authority-keys.html">The Complete Guide to Signing the Certificate Authority Keys</a></li>
 
-      <li><span>04 Mar 2013</span> &raquo; <a href="/blog/key-revocation.html">Key Revocation</a></li>
+      <li><span>23 Feb 2013</span> &raquo; <a href="/blog/the-complete-guide-to-verifying-gems-with-rubygems-openpgp.html">The Complete Guide to Verifying Gems with rubygems-openpgp</a></li>
 
   </ul>
 </div>