So you publish something on a HTTPS page, which means that when the browser says "green padlock", it only says: "this site was using a key signed by someone who in turn was signed by someone out of a few hundred CAs in a list which include companies in scary countries*". That will help a lot.
*) Please exchange the list of scary countries to whatever scares you in your particular example. For Syria it could be the US, for US it could be Syria. Or some other combination of opposition. 2013/9/11 Valentin Zagura <[email protected]> > Thanks for the suggestion, we will probably order the CD. > > But on the other hand, I hope that you realize that people in some > countries (Iran, China, Egypt, Syria) would not have this possibility and > they could be more affected by a compromise than we would be (they might > probably pay with their lives) and I hope you guys are also thinking of > them. > > Thanks, > Valentin Zagura > > > On Wed, Sep 11, 2013 at 1:58 PM, Peter N. M. Hansteen <[email protected] > >wrote: > > > On Wed, Sep 11, 2013 at 01:49:14PM +0300, Valentin Zagura wrote: > > > > > We are going to use a OpenBSD system in a PCI-DSS compliant > environment. > > > Is there any way we can prove to our PCI-DSS assessor that the OpenBSD > > > image we use for our installation can be checked so that it is the > > correct > > > one (is not modified in a malicious way by a third party) ? > > > > Probably not what you want to hear, but starting with > > http://www.openbsd.org/orders.html > > is usually an excellent idea in this context. Verifiably delivered from a > > trusted source. > > > > > A https link to some kind of ISO checksum or something similar (but > using > > > strong cryptography) I think would do it, but I could not find any > > (except > > > a line in the FAQ stating "If the men in black suits are out to get > you, > > > they're going to get you." which is not the case :) ) > > > > It's possible some of the more prominent entries on > > http://www.openbsd.org/support.html > > could be persuaded to provide something like that (M:Tier comes to mind, > > but why are > > they not on that page?) in exchange for a reasonable fee. > > > > But again, for -RELEASE, the CD sets are a good starting point. > > > > - Peter > > > > -- > > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > > http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ > > "Remember to set the evil bit on all malicious network traffic" > > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. > > > -- May the most significant bit of your life be positive.
