On Wed, 21 Feb 2018 10:10:30 +0100
> I know this is a little bit farfetched, pardon my ignorence, but > OpenBSD seeems vulnerable on first installation. In case of DNS > poisoning, what can stop a virus from forwarding the installer to a > false SHA256.sig and false repository? My guess would be to use > DNSSEC and a local copy of an OpenBSD repository to avoid such issue. > If you boot an unverified iso, then what is to stop it replacing your bios? Authentication is always boot strapped by manual processes, including your resolver key! Also DNSSEC is rarely used and mostly RSA 1024 bit. ecdsa will hopefully get more adoption than RSA has depite I believe persisting to enable amplification albeit to a far smaller degree. T-shirts of keys were made and can be found in various places including youtube, worn by developers etc., so that you can verify the iso file before booting it.
