On 12/5/07, new_guy <[EMAIL PROTECTED]> wrote: > Harpalus a Como wrote: > > > > What is the benefit of doing so? What's the point? Is the website so > > likely > > to be hacked into, that the developers need to sign all communication just > > to ensure that it comes from them? There's absolutely no need to signing > > errata or official communications. Name one justifiable use for them. If > > the > > OpenBSD developers didn't care about "secure communications", then OpenSSH > > would not exist. > > > > Can you dismiss PKI and the benefits that OpenPGP signatures provide to your > user community? Knowing that xyz binary is signed by OpenBSD for > distribution or abc email came from an official OpenBSD source is a good > thing. Trojaned binaries and forged emails happen. PKI can help mitigate > this. The benefit of PKI is widely known and accepted and does not need to > be rehashed here.
Are you *sure* of that? You might want to read http://www.schneier.com/paper-pki-ft.txt > I'm surprised that OpenBSD (the most secure OS I know of) > does not use it, that's all I'm saying. I also thought there would be a real > reason for not doing so and there may in fact be and I may just be unaware > of it. OpenBSD is the most secure OS, the devs know what they are doing.. and they've rejected this as uneccessary. You can check the MD5 files for the main distribution, and for packages.. well the official OpenBSD mirrors are all trustworthy--if they aren't, it will be discovered and they will no longer be official mirrors. This isn't a great answer, I know. -Nick
