Security itself is not the primary issue here. The issue is to easily prove an assessor "without reasonable doubt" that you are running the right thing. They will not worry about governments trying to break in with MITM signed ssl or about armies breaking in with the tanks. But they would worry about me not building the image the right way, someone tampering with the image or leaving the door unlocked at the server room. Also, they require people to take responsibility for the thing they do (in this case, CD images).
On Fri, Sep 13, 2013 at 1:56 AM, Kenneth R Westerback < kwesterb...@rogers.com> wrote: > On Thu, Sep 12, 2013 at 07:52:22PM +0300, Valentin Zagura wrote: > > > There is no entity > > > that owns or can be held responsible for the code, or is capable > > > of providing a solid evidentuary path from commit to your hands. > > > > I thought if we buy the CDs we WILL get "a solid evidentuary path from > > commit to" our hands. > > > > So this isn't the case? > > Physical email is as susceptible to MITM attacks as network connections. I > know a story of laptops entering the mail system and car springs coming > out the other end in the same box. :-) > > CDs will give you the best evidentuary path available. Compiling everything > yourself with a compiler and hardware you built from piles of dirt in a > clean room would be better. And then you still have to worry about nano > technology being slipped into the dirt. > > .... Ken > > > > > > > > > > > On Wed, Sep 11, 2013 at 1:58 PM, Peter N. M. Hansteen <pe...@bsdly.net > >wrote: > > > > > On Wed, Sep 11, 2013 at 01:49:14PM +0300, Valentin Zagura wrote: > > > > > > > We are going to use a OpenBSD system in a PCI-DSS compliant > environment. > > > > Is there any way we can prove to our PCI-DSS assessor that the > OpenBSD > > > > image we use for our installation can be checked so that it is the > > > correct > > > > one (is not modified in a malicious way by a third party) ? > > > > > > Probably not what you want to hear, but starting with > > > http://www.openbsd.org/orders.html > > > is usually an excellent idea in this context. Verifiably delivered > from a > > > trusted source. > > > > > > > A https link to some kind of ISO checksum or something similar (but > using > > > > strong cryptography) I think would do it, but I could not find any > > > (except > > > > a line in the FAQ stating "If the men in black suits are out to get > you, > > > > they're going to get you." which is not the case :) ) > > > > > > It's possible some of the more prominent entries on > > > http://www.openbsd.org/support.html > > > could be persuaded to provide something like that (M:Tier comes to > mind, > > > but why are > > > they not on that page?) in exchange for a reasonable fee. > > > > > > But again, for -RELEASE, the CD sets are a good starting point. > > > > > > - Peter > > > > > > -- > > > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > > > http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ > > > "Remember to set the evil bit on all malicious network traffic" > > > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 > seconds. > > > >
