previously on this list Giancarlo Razzolini contributed: > > Are there plans to get openbsd.org serving over SSL? That would help a > > bit in trusting the keys posted to the website. > > > No, it wouldn't. If we go down that path, DNSSEC, with all it's problems > is better than SSL for this. You can get free ssl certificates these > days, so the cost isn't the issue here. I do many things that the OP > said, such as downloading the sig's from different mirrors, using > different internet connections at different times. And even now that > there are the pub keys for the next release on the install, I'll keep > doing this, just to be sure.
Perhaps we should ask debian or arch to ask gnupg.orgs keyserver to use a CA signed cert but of course they wouldn't and offer a self-signed I guess for political reasons or not to trip up those who don't understand the issues and perhaps that is true for OpenBSD and whilst it could be an extra check on the ssh fingerprints, might it make people lazy and actually less secure. OpenBSD is actually now probably the most secure open source project in this regard even initially now with so many sources for initial verification (even ip whois records of ssh servers) and re-verification and especially considering The CD's are managed by Theo himself! To top it all off past threads have shown that Arches build system and debians packages that can include binary uploads are alarmingly questionable even when signed with a known valid key. -- _______________________________________________________________________ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) In Other Words - Don't design like polkit or systemd _______________________________________________________________________
