-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

(English)

Currently, my own web server https://www.oiwa.jp uses a self-signed
certificate for TLS communication.  As you know, this setting is
vulnerable for man-in-the-middle attacks, at least for first-time
accesses.

The regexp/OCaml repository was provided on https protocol, for
several technical reasons.  Provided that you know the limitation of
this setting and treat this server only as secure as http protocol,
there is no problem --- in fact, there is no reason to switch to more
insecure http protocol, as long as you understand what you are doing.
(Of course, in general the self-signed certificates are unsuitable for
 servers accessed by general public, because it gives false feeling of
 being protected from any eavesdropping attacks.)

Since September 2005, both http and https access methods are provided.
Please choose either of those methods at your preference.

If you choose https protocol, the svn command will show the following
warning message on the first time access.  If you want to validate the
genuineness of the server, compare the displayed value of certificate
fingerprint with the value shown below.
The key is (most-recently) updated on Aug 23 2006.

|| Error validating server certificate for 'https://www.oiwa.jp:443':
||  - The certificate is not issued by a trusted authority. Use the
||    fingerprint to validate the certificate manually!
|| Certificate information:
||  - Hostname: *.oiwa.jp
||  - Valid: from Aug 23 03:18:13 2006 GMT until Aug 23 03:18:13 2008 GMT
||  - Issuer: Oiwa Network, Tokyo, JP
||  - Fingerprint: 3d:41:72:53:d5:a5:9d:5d:62:67:d8:80:19:b2:22:9f:d7:c8:19:a0

If you see this kind of message again for later accesses, please double-
check the fingerprint: it may be either (1) I changed the server key, or
(2) there is a man-in-the-middle attack on-going.

Be sure also to check the PGP signature of this message.
My PGP public key is provided at
  https://staff.aist.go.jp/y.oiwa/PGPkeys/yutaka-oiwa-pubkey.asc
(this web site is protected by a CA-signed https certificate).
You can double-check the validity of the above web address by using
my business cards.
(My old business cards have a fingerprint of PGP keys.)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: From "Yutaka Oiwa" <y.oiwa@aist.go.jp>

iD8DBQFE7AFKR1RAwZld0+ERAoXMAKCZI5fP//p3GyzaxnC9kPv3R+BMjgCff0Ll
9S5eGmE/ODlRGvjxh69phK4=
=4tWO
-----END PGP SIGNATURE-----