Re: Impossibility of cryptographic verification of downloads

On Wed, May 25, 2016 at 6:02 PM, Chris Bennett wrote: > 1. The small bad guys. They can put up compromised install files and sig > files. They laugh at the damage the did to you. Jajaja. > > 2. The worse bad guys. Your actual network from your ISP is

Re: Impossibility of cryptographic verification of downloads

Just purchase a CD set (or purchase a couple, every six months, sponsor the project) and take the signify keys from there. They're even printed on the physical CDs themselves. If your adversary can fake OpenBSD CD sets (in a timely fashion), there's really not much else you can do. Really ..

Re: Impossibility of cryptographic verification of downloads

> In the past people have posted photos of signify keys from CDs, > they're on various list posts, release notes, etc. Doing a web > search for the key that you have should find a number of results. > > Once you have *one* verified signify key, as long as you're not > skipping updates, there is a

Re: Impossibility of cryptographic verification of downloads

On 2016-05-25, Chris Bennett wrote: > Get the SHA256.sig from a different server than the install files, after > all, using just one server could be a problem if it is compromised. You can get the SHA256.sig from the *same* server. You just need to verify

Re: Impossibility of cryptographic verification of downloads

Thu, 26 May 2016 04:37:04 +0200 arrowscr...@mail.com > I don't really understand the crypto theory behind it all, but I > didn't read any elaborated argument besides a big "NO" from openbsd The topic of the debate is incorrect, mostly the result of ignorance. signify - cryptographically sign and

Re: Impossibility of cryptographic verification of downloads

>Anything else, that has PGP keys and such. Good luck! It's curious you say this Theo, since OpenSSH already uses PGP to sign the releases... no? Web of Trust wouldn't minimize the probablity of corrupted packages? What makes you think that the main server (openbsd.org) cannot not be pwned?

Re: Impossibility of cryptographic verification of downloads

On 25 May 2016 at 23:59, Rubén Llorente wrote: > Many people is just uding the TOFU model with the keys. > Because I didn't get it at first and had to google it: For the archives: is -> are (grammar) uding -> using (typo) TOFU -> Trust On First Use

Re: Impossibility of cryptographic verification of downloads

Eduard - Gabriel Munteanu: > Well, you could certainly put the key and signify sources on the > main website. As Theo said they're at the corresponding pages [s/http/https/g]: > You mean like here? > > http://www.openbsd.org/59.html > > and > > http://www.openbsd.org/58.html > > and > >

Re: Impossibility of cryptographic verification of downloads

On Wed, 2016-05-25 at 17:22 -0600, Theo de Raadt wrote: > > Well, you could certainly put the key and signify sources on the main > > website. The CVS thing doesn't seem to be HTTPS-enabled. > > You mean like here? [...] Oops, I completely missed those. I was looking at the download page and

Re: Impossibility of cryptographic verification of downloads

> By the same reasoning, you don't really need security fixes and > countermeasures either. So much for the security-oriented OS. I am glad we hit the point where you go run something else. Anything else, that has PGP keys and such. Good luck!

Re: Impossibility of cryptographic verification of downloads

> Well, you could certainly put the key and signify sources on the main > website. The CVS thing doesn't seem to be HTTPS-enabled. You mean like here? http://www.openbsd.org/59.html and http://www.openbsd.org/58.html and http://www.openbsd.org/57.html and http://www.openbsd.org/56.html

Re: Impossibility of cryptographic verification of downloads

On Wed, 2016-05-25 at 17:02 -0500, Chris Bennett wrote: > Get the SHA256.sig from a different server than the install files, after > all, using just one server could be a problem if it is compromised. > > And face the reality of things: > > 1. The small bad guys. They can put up compromised

Re: Impossibility of cryptographic verification of downloads

On Wed, 2016-05-25 at 16:18 -0600, Theo de Raadt wrote: > > It currently seems impossible to verify downloads from a computer > > without OpenBSD, for a few reasons: > > > > 1. No securely-distributed public key > > 2. Lack of signify packages in e.g. Linux distros, or > > securely-distributed

Re: Impossibility of cryptographic verification of downloads

Eduard - Gabriel Munteanu wrote: > Hi, > > It currently seems impossible to verify downloads from a computer > without OpenBSD, for a few reasons: > > 1. No securely-distributed public key > 2. Lack of signify packages in e.g. Linux distros, or > securely-distributed sources

Re: Impossibility of cryptographic verification of downloads

On Wed, May 25, 2016 at 11:08:44PM +0300, Eduard - Gabriel Munteanu wrote: > Hi, > > It currently seems impossible to verify downloads from a computer > without OpenBSD, for a few reasons: > > 1. No securely-distributed public key > 2. Lack of signify packages in e.g. Linux distros, or >

Re: Impossibility of cryptographic verification of downloads

> It currently seems impossible to verify downloads from a computer > without OpenBSD, for a few reasons: > > 1. No securely-distributed public key > 2. Lack of signify packages in e.g. Linux distros, or > securely-distributed sources > > To keep things simple, I propose mirrorring SHA256SUM

Impossibility of cryptographic verification of downloads

Hi, It currently seems impossible to verify downloads from a computer without OpenBSD, for a few reasons: 1. No securely-distributed public key 2. Lack of signify packages in e.g. Linux distros, or securely-distributed sources To keep things simple, I propose mirrorring SHA256SUM files onto the