Well sorry if I may attend to this talk but what I saw so far is kinda disappointing.
You all talk aout GnuBLAFOO and PKIs... OpenBSD uses gzip (not even with -9..) for the packages and for gzip there's a tool called gzsig wich is already included in the base. What does the tool do? gzsig embeds or verifies RSA PKCS #1 v2.0 or DSA SHA1 signatures in gzip(1) compressed files using SSH identity keys or X509 certificates. Another point is that the main CVS is [email protected] wich tunnels via SSH already so you've to trust already the provided key. About the "trust chain": if you don't trust Theo nor the developers it's all pointless so I think the best thing is to use a SSH-Key (or Cert) provided by Theo (like for anoncvs.openbsd.org). Ready is your "signed packages for the masses" solution. Disadvantage: - You've to download the whole file to verify it but hell you download the whole file anyway. - Key need to get distributed (SSH keys can get looked up via SSH/DNS/&Your_METHOD btw... or get included during the distribution (wich provides binary packages you're trusting right now anyway)) Updated keys could get distributed via CVS Updates or provided via DNS/HTTP. Kind regards, Sebastian
