I agree, but no one mentioned DANE, I think that's the future and the way to go. With DANE in theory you wouldn't need a CA. I think it's an excellent way to establish authenticity of your content. Problem is that no browser supports it by default, and DNSsec use is marginal.
Regards, Giancarlo Razzolini writes: > Em 10-12-2015 20:03, Christian Weisgerber escreveu: >> The true elephant in the room is that I can't get the current OpenBSD >> source tree securely. (Well, _I_ can if push comes to shove, but >> the general user community can't.) CVSync? No integrity or >> authenticity. AnonCVS over SSH? Nope, no integrity or authenticity >> because the mirror itself got the tree over CVSync. Assuming you >> trust the mirror in the first place. > > I agree with you. We don't want TLS to hide the fact that we are > accessing the openbsd site. We want TLS to get a little extra confidence > that what we are seeing on our screen is what the OpenBSD devs wanted us > to see. Someone mentioned signify keys also. Nowadays if I want to be > (kind of) sure I got everything right, I need to download the files from > different mirrors, using different internet connections, using vpn's and > tor, etc. > > The TLS could be implemented on a non mandatory way, you don't need to > redirect HTTP connections to HTTPS ones. But it would be nice to have > the option, at least. > > Cheers, > Giancarlo Razzolini -- Oriol Demaria 0x58415679
