On 11 December 2015 at 03:58, Kamil Cholewiński <harry6...@gmail.com> wrote: >> The official CD set contains the signify keys for that release and the >> next one. Once you have a known good copy of one set, you can always obtain >> future ones securely. >> >> You don't even need to use the CD set to install, just as a way of obtaining >> the signify keys with a high degree of confidence. > > This is the real thing bothering me. I don't even have a CD drive > available, and I was about to ask if it would be possible to get the > signify keys via paper mail in exchange for a donation. But both paper > and CDs can be intercepted and tampered with (with some effort). > >> I currently just assume they are correct because it'd be enormously >> complex to spoof the entire OpenBSD distribution, but I souldn't have >> to rely on "security through effort involved". > > Exactly, and this is a problem with the CDs too. There's currently no > way to securely bootstrap the chain of trust. HTTPS is a way to do that.
LOL. Maybe you should read this: http://marc.info/?l=openbsd-bugs&m=138445221329747&w=2 Or take a look at the full list of CAs in your browser. > > Yes, we would have to rely on third parties (CAs). It can be optional > (so that a text browser from an ancient unsupported release can still Thing is, in https land, a "downgrade" is considered a serious attack, not a backwards-compatibility feature. If the browser fails to load https://example.org/, it will not even suggest you go to the http://example.org/ version. And what happens when someone gets their web-site onto https? People start linking to the https version, so, legacy devices/releases may no longer be capable of just following the web of links. (So much for World Wide Web!) > access plain HTTP version fine). It can be just a single page like > keys.openbsd.org so that there are few extra computing resources used. > It doesn't have to be Let's Encrypt - heck, I'm willing to go to > RapidSSL or whoever and pay for it myself if someone can give me a CSR > and assist with domain validation. Yes, and once you give in to https once, you're hooked and have to keep paying someone every year, and have to keep changing the cert every year. C. > > K.
