On Wed, Aug 13, 2014 at 3:52 PM, Eric Furman wrote:
> On Wed, Aug 13, 2014, at 05:36 PM, Worik Stanton wrote:
>> On 13/08/14 22:13, Eric Furman wrote:
>> [snip]>
>> > The most absolutely best way any one can contribute to OBSD
>> > is to BUY CD'S. Buy some cd's and then buy some more.
>> > Buy the
On Wed, Aug 13, 2014, at 05:36 PM, Worik Stanton wrote:
> On 13/08/14 22:13, Eric Furman wrote:
> [snip]>
> > The most absolutely best way any one can contribute to OBSD
> > is to BUY CD'S. Buy some cd's and then buy some more.
> > Buy them for the stickers. Buy them because they fund OBSD.
> > Wit
On 13/08/14 22:13, Eric Furman wrote:
[snip]>
> The most absolutely best way any one can contribute to OBSD
> is to BUY CD'S. Buy some cd's and then buy some more.
> Buy them for the stickers. Buy them because they fund OBSD.
> Without cd sales OBSD would cease to exist.
> It is as simple as that.
> > > Also if you have a secure method to share the fingerprint then
> > > self-signed are more secure. Personally I would like someone, perhaps
> > > a major browser to create a service where we can login and submit our
> > > fingerprint and
> >
> > oh, I suppose because everything is much safe
On Wed, 13 Aug 2014 11:12:21 -0600
Theo de Raadt wrote:
> > Also if you have a secure method to share the fingerprint then
> > self-signed are more secure. Personally I would like someone, perhaps
> > a major browser to create a service where we can login and submit our
> > fingerprint and
>
>
On 13.08.2014 17:11, Giancarlo Razzolini wrote:
On 13-08-2014 11:36, Alexander Hall wrote:
How did you download your browser? Can you trust all certs it uses?
Etc
etc...:-p
It can't. Just see the Turktrust/Google case.
So many chickens and eggs here.
Since we are at this, how can you trust y
> On Wed, 13 Aug 2014 12:19:40 -0300
> Giancarlo Razzolini wrote:
>
> > Today there is never a need for self-signed certs. You can get them for
> > free, there's no excuse.
>
> Tell that to gnupg.org, as I say political... but useful going forward
> but there are only a few keyservers.
>
> Also
On Wed, 13 Aug 2014 12:19:40 -0300
Giancarlo Razzolini wrote:
> Today there is never a need for self-signed certs. You can get them for
> free, there's no excuse.
Tell that to gnupg.org, as I say political... but useful going forward
but there are only a few keyservers.
Also if you have a secure
On 13-08-2014 10:55, Kevin Chadwick wrote:
> Perhaps we should ask debian or arch to ask gnupg.orgs keyserver to use
> a CA signed cert but of course they wouldn't and offer a self-signed I
> guess for political reasons or not to trip up those who don't
> understand the issues and perhaps that is t
On 13-08-2014 11:36, Alexander Hall wrote:
> How did you download your browser? Can you trust all certs it uses? Etc
etc...:-p
It can't. Just see the Turktrust/Google case.
>
> So many chickens and eggs here.
Since we are at this, how can you trust your operating system? Your
hardware? Everyone nee
previously on this list Giancarlo Razzolini contributed:
> > Are there plans to get openbsd.org serving over SSL? That would help a
> > bit in trusting the keys posted to the website.
> >
> No, it wouldn't. If we go down that path, DNSSEC, with all it's problems
> is better than SSL for this. Yo
On August 13, 2014 2:04:14 PM CEST, Carlin Bingham wrote:
>On Wed, 13 Aug 2014, at 11:38 AM, Theo de Raadt wrote:
>> >One suggestion/request, to make it even harder for the
>man-in-the-middle attack to be successfully employed, could the current
>checksums be posted in the announcement of the new
On 13-08-2014 09:54, Carlin Bingham wrote:
> Of course, but doing all that in addition to getting the keys over SSL
> is better than doing all that and not getting the keys over SSL.
>
I did sent this same e-mail you sent almost a year ago. We have signify
now. Things have changed. There is always,
On Thu, 14 Aug 2014, at 12:38 AM, Giancarlo Razzolini wrote:
> On 13-08-2014 09:04, Carlin Bingham wrote:
> > Are there plans to get openbsd.org serving over SSL? That would help a
> > bit in trusting the keys posted to the website.
> >
> No, it wouldn't. If we go down that path, DNSSEC, with all i
On 13-08-2014 09:04, Carlin Bingham wrote:
> Are there plans to get openbsd.org serving over SSL? That would help a
> bit in trusting the keys posted to the website.
>
No, it wouldn't. If we go down that path, DNSSEC, with all it's problems
is better than SSL for this. You can get free ssl certific
On Wed, 13 Aug 2014, at 11:38 AM, Theo de Raadt wrote:
> >One suggestion/request, to make it even harder for the man-in-the-middle
> >attack to be successfully employed, could the current checksums be posted in
> >the announcement of the new version?
>
> http://www.openbsd.org/55.html
>
>
On Wed, 13 Aug 2014, at 11:38 AM, Theo de Raadt wrote:
> >One suggestion/request, to make it even harder for the man-in-the-middle
> >attack to be successfully employed, could the current checksums be posted in
> >the announcement of the new version?
>
> http://www.openbsd.org/55.html
>
>
On Wed, Aug 13, 2014, at 04:47 AM, Kevin Chadwick wrote:
> It has occurred to me that you have been very good in terms of not
> tying the keys in any way to the buying of cds for each
> release/snapshot. I donate what I can rather than buy cd's as it is more
> efficient but I guess the money goes t
previously on this list Theo de Raadt contributed:
> source tree,
Whose fingerprints are available on the website, many of which for years
and are probably in googles cache available over ssl and many other
corners of the web.
> on twitter or google, or anywhere else you like. Ask questions
>
>One suggestion/request, to make it even harder for the man-in-the-middle
>attack to be successfully employed, could the current checksums be posted in
>the announcement of the new version?
http://www.openbsd.org/55.html
signify(1) pubkeys for this release:
base: RWRGy8gxk9N9314J0gh9U0
Checksums? SHA256 files? There are no SHA256 files. Now there are
SHA256.sig files. You are at least 6 months behind the times.
http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/signify.1?query=signify&arch=i386
See the EXAMPLES section.
You can visually verify the (very short) sig
My understanding of the problem:
(Bear with me. I'm trying not to ramble too much here.)
For catching simple data errors in the download, there is no problem,
of course. The "attacker" is random chance, so downloading the SHA256
file and comparing the checksums should be sufficient.
The probabi
22 matches
Mail list logo
