The real problem here is that in order to be added to certain lists of
trusted PKI providers, you must be audited by security Assessors one of
the things they look for is proof that the software your using isnt
tampered with.
It appears the OP is trying to solve that issue. EVEN using the CD is
not enough to convince some of these people that the software is genuine
and untampered with.
pgp signed sha256 keys in a public accessible place should do it.
Though it would seem to me, that if the sha signature is the same on
all the mirrors through openbsds distribution channels that would be
verification enough. As then you would have to break into a lot of
systems ran by very pedantic, system admins in order to change it on all
of them.
But let me repeat it isnt the OPS idea of security that is important,
its the idea of the people they are paying a lot of money to, and the
rules implemented by such companies as Microsoft that are important here.
RG
On 09/11/2013 10:10 PM, Valentin Zagura wrote:
I was saying that other projects do it in a way they feel comfortable with
and maybe you will find a way to do it that you are comfortable with.
Using https was one simple idea. I understand that you don't think that
this adds any value but maybe there are other ways like signing with PGP,
maybe using SSH somehow or having Theo de Raadt saying the SHA checksums on
a video on youtube at each release :) or some other simple and effective
way that you are comfortable with.
I just wanted to point out that one can not easely show his security
assessor that it has the right images using some "industry standard" ways,
or someone living in a country that has an oppressive government and would
download the image through tor could have some problems if the exit node is
malicious.
If you feel that any kind of verification is futile, it's ok, that would
not stop us from buying the CDs.
On Wed, Sep 11, 2013 at 10:32 PM, Kenneth R Westerback <
[email protected]> wrote:
On Wed, Sep 11, 2013 at 08:53:50PM +0300, Valentin Zagura wrote:
I don't think I'm more paranoid than the average considering that Debian
has a way to do this (http://www.debian.org/CD/verify), fedora has a
way to
do this (https://fedoraproject.org/verify), even Freebsd has a way to do
this ( https://www.freebsd.org/releases/9.1R/announce.html).
So you're saying that less paranoid projects are doing it, so why doesn't
OpenBSD join the crowd and provide some fuzzy feel good but pointless
security theatre? :-)
The thought of being more paranoid than an OpenBSD guy is not very
comfortable :)
Don't worry. You're apparently not paranoid enough yet. The true practical
paranoid does not waste time on such mummery.
.... Ken
On Wed, Sep 11, 2013 at 8:13 PM, Daniel Bolgheroni <[email protected]
wrote:
On Wed, Sep 11, 2013 at 03:17:20PM +0300, Valentin Zagura wrote:
Yes, we know, but that file can also be easily compromised if it's
not
available for download with a secure protocol (HTTPS)
If you're paranoid, build your own hardware from the ground up,
including designing your own CPU and complementary circuits, download
all the sources, audit them all, compile and then run.
You can't be fooled by wrong measurements of security.
