On 13-08-2014 10:55, Kevin Chadwick wrote: > Perhaps we should ask debian or arch to ask gnupg.orgs keyserver to use > a CA signed cert but of course they wouldn't and offer a self-signed I > guess for political reasons or not to trip up those who don't > understand the issues and perhaps that is true for OpenBSD and whilst > it could be an extra check on the ssh fingerprints, might it make people > lazy and actually less secure. Today there is never a need for self-signed certs. You can get them for free, there's no excuse. For ssh fingerprints there are SSHFP records. With DNSSEC, they can be better checked. But I agree with you that it might make people lazy. > OpenBSD is actually now probably the most > secure open source project in this regard even initially now with so > many sources for initial verification (even ip whois records of ssh > servers) and re-verification and especially considering With signify, OpenBSD managed to give the same level of trust, specially on the packages, as the linux distros with their gpged apt. But better. Signify is way simpler. On the verification side, OpenBSD have lots of mirrors, but if your dns is compromised you can't trust your whois. > > > The CD's are managed by Theo himself! This is great. But if you're being targeted, your CD might be intercepted. This is why you should use them plus the internet for checking things. > > To top it all off past threads have shown that Arches build system and > debians packages that can include binary uploads are alarmingly > questionable even when signed with a known valid key. Their security track record isn't that great.
Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
