When first creating a CCR account you will be emailed a link to click on to verify your email address and activate your account.
How do I know these emails aren't a phishing attempt?
This is a GREAT question and we strongly encourage users to question any type of email asking you to update account information or provide passwords. We take security very seriously and will always take the following measures when communicating any account related changes with you:
1. All account activation email communication will be digitally signed using our PGP key:
2. Our website will always be updated with instructions and related information. Ensure you're viewing our website using a secure (https) link and verify that the SSL certificate is valid.
The email message sent to all CCR users has a PGP signature. Pretty Good Privacy (PGP) is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. Some email clients will recognize the email is signed and give you options for verifying the PGP signature. If your email client doesn't, you can login to one of the CCR servers and verify that the signature is authentic. The steps for verifying this are below:
Save a copy of the email sent from CCR as a text file on one of the CCR servers (vortex, presto, etc).
Import the CCR public key for comparison with the email text:
gpg --import /util/ccr/pgp/ccr_help_key.asc
gpg: key C1F7CD96: public key "CCR Staff <firstname.lastname@example.org>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
gpg: no ultimately trusted keys found
Check the key fingerprint (optional):
gpg --fingerprint C1F7CD96
pub 4096R/C1F7CD96 2015-08-27 [expires: 2025-08-24]
Key fingerprint = DFAD E01B C0CA 44C5 FDC2 26C9 781A AE84 C1F7 CD96
uid CCR Staff <email@example.com>
sub 4096R/CE2FB3C2 2015-08-27 [expires: 2025-08-24]
Verify the signature in the email against the CCR public key:
gpg --verify <your_text_file>
NOTE: The WARNING message means the public key wasn't signed by a certificate authority (like SSL certifcates are) but this does not mean the signature is invalid. It just means you should ensure you obtained our public key through a trusted source, i.e. our website or directly from rush (using scp). CCR's PGP information can be found HERE. For more information about PGP, check out this website.