Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

Fri, 11 Dec 2015 04:27:32 -0800 

On Fri, Dec 11, 2015 at 12:48:19PM +0100, Thijs van Dijk wrote:

I'm saying I shouldn't *have* to rely on snail-mailed physical media. We,
as a species, have thought of a solution to this problem long ago.


I agree in principle that we shouldn't have to rely in physical media to
obtain the keys with a high degree of confidence.  Currently, though, it
is a good way.


Sure that solution isn't perfect, but if I can guess at the list's
attitude, I'd say it's this:


 "If we can't make it impossible to intercept traffic, we shouldn't

bother with making it merely fiendishly difficult."

which I think is unnecessarily fatalistic.


I think the attitude is more of priorities and the best way to expend
time and effort.

The OP was talking about https access to the entire www.openbsd.org site
whereas the discussion has now moved to obtaining the CVS tree and the
signify keys securely, which is a somewhat different issue.

My previous point was that once you have obtained ONE signify key,
you can obtain every future -release and verify it's integrity without
ever buying another CD.  You can't follow -current and be sure of the
integrity of what you are downloading.  Of course, if anybody did
tamper with a CVS checkout of the tree, it's quite possible that you
would notice when things didn't work as expected, or future patches
didn't apply, it would depend on the sophistication of the tampering.

My personal opinion is that https://www.openbsd.org would be rather
pointless, and lead people to a false sense of security, whereas
some kind of encryption and authentication for CVSync would be useful.

On the other hand, an increase in the general proportion of web traffic
that is encrypted does make mass surveilance more time consuming and
less practical.  Making www.openbsd.org available via https would not
contribute much at all to that, and would take resources away from
the project that could be used for other things.


In either case, I'd be willing to put my money where my mouth is.
Whom do I contact about running a site mirror?


Why would we trust your mirror?

--
Tati Chevron
Perl and FORTRAN specialist.
SWABSIT development and migration department.
http://www.swabsit.com























					Reply via email to