On Wednesday 05 December 2007 11:46:16 new_guy wrote: > Harpalus a Como wrote: > > What is the benefit of doing so? What's the point? Is the website so > > likely > > to be hacked into, that the developers need to sign all communication > > just to ensure that it comes from them? There's absolutely no need to > > signing errata or official communications. Name one justifiable use for > > them. If the > > OpenBSD developers didn't care about "secure communications", then > > OpenSSH would not exist. > > Can you dismiss PKI and the benefits that OpenPGP signatures provide to > your user community? Knowing that xyz binary is signed by OpenBSD for > distribution or abc email came from an official OpenBSD source is a good > thing. Trojaned binaries and forged emails happen. PKI can help mitigate > this. The benefit of PKI is widely known and accepted and does not need to > be rehashed here. I'm surprised that OpenBSD (the most secure OS I know of) > does not use it, that's all I'm saying. I also thought there would be a > real reason for not doing so and there may in fact be and I may just be > unaware of it.
Yes, one can dismiss the "benefits". Think about what an MD5 (or any other cyptographic) checksum means. If the OpenBSD site publishes that list, how does something more complicated help? Answer: it doesn't. --STeve Andre'
