On Fri, Dec 11, 2015 at 12:58:38PM +0100, Kamil Cholewi??ski wrote:
This is the real thing bothering me. I don't even have a CD drive
available, and I was about to ask if it would be possible to get the
signify keys via paper mail in exchange for a donation.
The official CDs have the signify key physically printed on them.
But both paper
and CDs can be intercepted and tampered with (with some effort).
Well then you need to meet Theo in person and obtain the keys from him
directly. Except, how would you know it was really Theo?
I currently just assume they are correct because it'd be enormously
complex to spoof the entire OpenBSD distribution, but I souldn't have
to rely on "security through effort involved".
Exactly, and this is a problem with the CDs too. There's currently no
way to securely bootstrap the chain of trust. HTTPS is a way to do that.
Would you really trust HTTPS more than a physical CD being mailed to
you???
Yes, we would have to rely on third parties (CAs). It can be optional
(so that a text browser from an ancient unsupported release can still
access plain HTTP version fine). It can be just a single page like
keys.openbsd.org so that there are few extra computing resources used.
It doesn't have to be Let's Encrypt - heck, I'm willing to go to
RapidSSL or whoever and pay for it myself if someone can give me a CSR
and assist with domain validation.
If you want to rely on third parties, I can send you a copy of the
signify keys, signed by my PGP key. How would that help you at all?
--
Tati Chevron
Perl and FORTRAN specialist.
SWABSIT development and migration department.
http://www.swabsit.com
