On Thu, Sep 12, 2013 at 09:22:51AM -0400, Kenneth R Westerback wrote: > On Thu, Sep 12, 2013 at 10:49:30AM +0200, InterNetX - Robert Garrett wrote: > > The real problem here is that in order to be added to certain lists > > of trusted PKI providers, you must be audited by security Assessors > > one of the things they look for is proof that the software your > > using isnt tampered with. > > > > It appears the OP is trying to solve that issue. EVEN using the CD > > is not enough to convince some of these people that the software is > > genuine and untampered with. > > > > pgp signed sha256 keys in a public accessible place should do it. > > > > Though it would seem to me, that if the sha signature is the same on > > all the mirrors through openbsds distribution channels that would be > > verification enough. As then you would have to break into a lot of > > systems ran by very pedantic, system admins in order to change it on > > all of them. > > > > But let me repeat it isnt the OPS idea of security that is > > important, its the idea of the people they are paying a lot of money > > to, and the rules implemented by such companies as Microsoft that > > are important here. > > And the ideas of the people they are paying a lot of money to are one or > more of > > a) wrong. > b) arbitrary. > c) unknown. > > As you say --- "... should do it.". And how will we know it does > it? Who will the security assessors accept as valid guarantors? > Theo? Bob? Austin? The Foundation? Resellers? Anybody running a > mirror? Some threshold number of developers? There is no entity > that owns or can be held responsible for the code, or is capable > of providing a solid evidentuary path from commit to your hands. > > And the OpenBSD community is not some collective Zelig.
Let me post a link to a post by myself from 2007 referring a post by myself from 2002. http://www.mail-archive.com/[email protected]/msg52819.html These posts already mention the issues Ken is referring to. -Otto
