On August 13, 2014 2:04:14 PM CEST, Carlin Bingham <c...@viennan.net> wrote: >On Wed, 13 Aug 2014, at 11:38 AM, Theo de Raadt wrote: >> >One suggestion/request, to make it even harder for the >man-in-the-middle attack to be successfully employed, could the current >checksums be posted in the announcement of the new version? >> >> http://www.openbsd.org/55.html >> >> signify(1) pubkeys for this release: >> base: RWRGy8gxk9N9314J0gh9U02lA7s8i6ITajJiNgxQOndvXvM5ZPX+nQ9h >> fw: RWTdVOhdk5qyNktv0iGV6OpaVfogGxTYc1bbkaUhFlExmclYvpJR/opO >> pkg: RWQQC1M9dhm/tja/ktitJs/QVI1kGTQr7W7jtUmdZ4uTp+4yZJ6RRHb5 >> >> For the upcoming 5.6 release (few months yet), the keys are already >> included in your 5.5 install, or you can find them in your >/etc/signify >> directory. Or, check http://www.openbsd.org/56.html (warning: >> incomplete) >> >> signify(1) pubkeys for this release: >> base: RWR0EANmo9nqhpPbPUZDIBcRtrVcRwQxZ8UKGWY8Ui4RHi229KFL84wV >> fw: RWT4e3jpYgSeLYs62aDsUkcvHR7+so5S/Fz/++B859j61rfNVcQTRxMw >> pkg: RWSPEf7Vpp2j0PTDG+eLs5L700nlqBFzEcSmHuv3ypVUEOYwso+UucXb >> >> In fact the snapshots available since about a month ago already >include >> the public keys for the 5.7 release next May.... >> > >Are there plans to get openbsd.org serving over SSL? That would help a >bit in trusting the keys posted to the website.
How did you download your browser? Can you trust all certs it uses? Etc etc...:-p So many chickens and eggs here.
