On Wed, Sep 11, 2013 at 08:42:46PM +0300, Valentin Zagura wrote: > The idea was to display a checksum of the files on such a https page. > Like for example https://www.freebsd.org/releases/9.1R/announce.html at the > bottom of the page. > > > On Wed, Sep 11, 2013 at 7:18 PM, Stuart Henderson <st...@openbsd.org> wrote: > > > On 2013/09/11 16:46, Janne Johansson wrote: > > > So you publish something on a HTTPS page, which means that when the > > browser > > > says "green padlock", it only says: "this site was using a key signed by > > > someone who in turn was signed by someone out of a few hundred CAs in a > > > list which include companies in scary countries*". That will help a > > > lot.
Add to that most of the top-level CAs are U.S. based and just as likely to bend over as Surprizon, USFest, Microslop, etc. the certificates they issue are probably not worth a damn much less those issued by intermediate CAs. > > > > Also it says nothing about the contents of the *files* on that site... You can PGP clearsign webpages. It's kind of cool but how many people are actually going to verify them? Maybe if there was a Firefox plugin <grin>
