And from that we can deduce what? $evil_country can't spend $10k to be able to intercept and silently MITM all https?
2013/9/11 InterNetX - Robert Garrett <robert.garr...@internetx.com> > also means somebody paid a lot of money for that green bar > > > On 09/11/2013 04:46 PM, Janne Johansson wrote: > >> So you publish something on a HTTPS page, which means that when the >> browser >> says "green padlock", it only says: "this site was using a key signed by >> someone who in turn was signed by someone out of a few hundred CAs in a >> list which include companies in scary countries*". That will help a lot. >> >> >> *) Please exchange the list of scary countries to whatever scares you in >> your particular example. For Syria it could be the US, for US it could be >> Syria. Or some other combination of opposition. >> >> >> >> 2013/9/11 Valentin Zagura <put...@gmail.com> >> >> Thanks for the suggestion, we will probably order the CD. >>> >>> But on the other hand, I hope that you realize that people in some >>> countries (Iran, China, Egypt, Syria) would not have this possibility and >>> they could be more affected by a compromise than we would be (they might >>> probably pay with their lives) and I hope you guys are also thinking of >>> them. >>> >>> Thanks, >>> Valentin Zagura >>> >>> >>> On Wed, Sep 11, 2013 at 1:58 PM, Peter N. M. Hansteen <pe...@bsdly.net >>> >>>> wrote: >>>> >>> >>> On Wed, Sep 11, 2013 at 01:49:14PM +0300, Valentin Zagura wrote: >>>> >>>> We are going to use a OpenBSD system in a PCI-DSS compliant >>>>> >>>> environment. >>> >>>> Is there any way we can prove to our PCI-DSS assessor that the OpenBSD >>>>> image we use for our installation can be checked so that it is the >>>>> >>>> correct >>>> >>>>> one (is not modified in a malicious way by a third party) ? >>>>> >>>> >>>> Probably not what you want to hear, but starting with >>>> http://www.openbsd.org/orders.**html<http://www.openbsd.org/orders.html> >>>> is usually an excellent idea in this context. Verifiably delivered from >>>> a >>>> trusted source. >>>> >>>> A https link to some kind of ISO checksum or something similar (but >>>>> >>>> using >>> >>>> strong cryptography) I think would do it, but I could not find any >>>>> >>>> (except >>>> >>>>> a line in the FAQ stating "If the men in black suits are out to get >>>>> >>>> you, >>> >>>> they're going to get you." which is not the case :) ) >>>>> >>>> >>>> It's possible some of the more prominent entries on >>>> http://www.openbsd.org/**support.html<http://www.openbsd.org/support.html> >>>> could be persuaded to provide something like that (M:Tier comes to mind, >>>> but why are >>>> they not on that page?) in exchange for a reasonable fee. >>>> >>>> But again, for -RELEASE, the CD sets are a good starting point. >>>> >>>> - Peter >>>> >>>> -- >>>> Peter N. M. Hansteen, member of the first RFC 1149 implementation team >>>> http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ >>>> "Remember to set the evil bit on all malicious network traffic" >>>> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. >>>> >>>> >>> >> >> >> > > Mit freundlichen Grüßen > > Robert Garrett > Senior System Engineer > Technical Projects & Solutions > -- > InterNetX GmbH > Maximilianstr. 6 > 93047 Regensburg > Germany > > Tel. +49 941 59559-480 > Fax +49 941 59559-245 > > www.internetx.com > www.facebook.com/InterNetX > www.twitter.com/InterNetX > > Geschäftsführer/CEO: Thomas Mörz > Amtsgericht Regensburg, HRB 7142 > > -- May the most significant bit of your life be positive.
