also means somebody paid a lot of money for that green bar
On 09/11/2013 04:46 PM, Janne Johansson wrote:
So you publish something on a HTTPS page, which means that when the browser
says "green padlock", it only says: "this site was using a key signed by
someone who in turn was signed by someone out of a few hundred CAs in a
list which include companies in scary countries*". That will help a lot.
*) Please exchange the list of scary countries to whatever scares you in
your particular example. For Syria it could be the US, for US it could be
Syria. Or some other combination of opposition.
2013/9/11 Valentin Zagura <[email protected]>
Thanks for the suggestion, we will probably order the CD.
But on the other hand, I hope that you realize that people in some
countries (Iran, China, Egypt, Syria) would not have this possibility and
they could be more affected by a compromise than we would be (they might
probably pay with their lives) and I hope you guys are also thinking of
them.
Thanks,
Valentin Zagura
On Wed, Sep 11, 2013 at 1:58 PM, Peter N. M. Hansteen <[email protected]
wrote:
On Wed, Sep 11, 2013 at 01:49:14PM +0300, Valentin Zagura wrote:
We are going to use a OpenBSD system in a PCI-DSS compliant
environment.
Is there any way we can prove to our PCI-DSS assessor that the OpenBSD
image we use for our installation can be checked so that it is the
correct
one (is not modified in a malicious way by a third party) ?
Probably not what you want to hear, but starting with
http://www.openbsd.org/orders.html
is usually an excellent idea in this context. Verifiably delivered from a
trusted source.
A https link to some kind of ISO checksum or something similar (but
using
strong cryptography) I think would do it, but I could not find any
(except
a line in the FAQ stating "If the men in black suits are out to get
you,
they're going to get you." which is not the case :) )
It's possible some of the more prominent entries on
http://www.openbsd.org/support.html
could be persuaded to provide something like that (M:Tier comes to mind,
but why are
they not on that page?) in exchange for a reasonable fee.
But again, for -RELEASE, the CD sets are a good starting point.
- Peter
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Mit freundlichen Grüßen
Robert Garrett
Senior System Engineer
Technical Projects & Solutions
--
InterNetX GmbH
Maximilianstr. 6
93047 Regensburg
Germany
Tel. +49 941 59559-480
Fax +49 941 59559-245
www.internetx.com
www.facebook.com/InterNetX
www.twitter.com/InterNetX
Geschäftsführer/CEO: Thomas Mörz
Amtsgericht Regensburg, HRB 7142
