That could also mean "This is THE openbsd.org site" if you're using eff ssl observatory.
On Wed, Sep 11, 2013 at 5:46 PM, Janne Johansson <icepic...@gmail.com>wrote: > So you publish something on a HTTPS page, which means that when the > browser says "green padlock", it only says: "this site was using a key > signed by someone who in turn was signed by someone out of a few hundred > CAs in a list which include companies in scary countries*". That will help > a lot. > > > *) Please exchange the list of scary countries to whatever scares you in > your particular example. For Syria it could be the US, for US it could be > Syria. Or some other combination of opposition. > > > > 2013/9/11 Valentin Zagura <put...@gmail.com> > >> Thanks for the suggestion, we will probably order the CD. >> >> But on the other hand, I hope that you realize that people in some >> countries (Iran, China, Egypt, Syria) would not have this possibility and >> they could be more affected by a compromise than we would be (they might >> probably pay with their lives) and I hope you guys are also thinking of >> them. >> >> Thanks, >> Valentin Zagura >> >> >> On Wed, Sep 11, 2013 at 1:58 PM, Peter N. M. Hansteen <pe...@bsdly.net >> >wrote: >> >> > On Wed, Sep 11, 2013 at 01:49:14PM +0300, Valentin Zagura wrote: >> > >> > > We are going to use a OpenBSD system in a PCI-DSS compliant >> environment. >> > > Is there any way we can prove to our PCI-DSS assessor that the OpenBSD >> > > image we use for our installation can be checked so that it is the >> > correct >> > > one (is not modified in a malicious way by a third party) ? >> > >> > Probably not what you want to hear, but starting with >> > http://www.openbsd.org/orders.html >> > is usually an excellent idea in this context. Verifiably delivered from >> a >> > trusted source. >> > >> > > A https link to some kind of ISO checksum or something similar (but >> using >> > > strong cryptography) I think would do it, but I could not find any >> > (except >> > > a line in the FAQ stating "If the men in black suits are out to get >> you, >> > > they're going to get you." which is not the case :) ) >> > >> > It's possible some of the more prominent entries on >> > http://www.openbsd.org/support.html >> > could be persuaded to provide something like that (M:Tier comes to mind, >> > but why are >> > they not on that page?) in exchange for a reasonable fee. >> > >> > But again, for -RELEASE, the CD sets are a good starting point. >> > >> > - Peter >> > >> > -- >> > Peter N. M. Hansteen, member of the first RFC 1149 implementation team >> > http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ >> > "Remember to set the evil bit on all malicious network traffic" >> > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. >> > >> > > > > -- > May the most significant bit of your life be positive. >
