[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
I have a proposal for distributing digitally signed information
about OpenBSD which is fairly light-weight.
At Thawte there is the personal certificate programme, where
you can get those for free.
You have to authenticate yourself to so-called notaries in
order to get your real name into the (S/MIME) cert.
Once you have got the cert with, for example MS Internet Explorer,
you can export it as .pfx and import using openssl pkcs12.
Using openssl smime one can create signed mails by this way,
and to get the (trusted) Thawte Root CA Cert should be no
My proposal would be that at least two "core" people on
OpenBSD get those personal free certs:
Wim, because he then can distribute, for example monthly,
the SHA-1 hashes of the CTM delta files (.gz).
Some core developer, ideally Theo, because he then can,
for example when they come up, distribute the SHA-1 hashes
- releases tarballs, etc.
- CD contents (src.tgz et al. come to mind).
Furthermore, a skeleton ~/.ssh/known_hosts file with
the host keys of all anoncvs mirrors ought to be
available, also monthly I would say.
For this purpose - quite low-traffic because no responses -
the OpenBSD team could either use the annonce@ mailing list
(if it exists, or does my mind betray me?) or make a new
Then the (at least two) persons would prepare the message
bodies using openssl smime, and via openssl smime -verify
(having the Thawte Root CA Cert) every user could verify
Users using cvs can copy/merge ~/.ssh/known_hosts-skeleton
into their own.
I hope you get the concept?
I also would enjoy to see this skeleton known_hosts file
on the CD (misc31.tgz), for that matter.
So if one buys a CD at, lets say BSDcon, directly from the
developers, he can also be sure that his cvs updates are
Using this S/MIME key also a https server certificate
(self-signed for this matter) can be distributed, thus
securing https://www.xx.openbsd.org/ also.
I know that some "notaries" of Thawte's Web of Trust
demand some money for the identification service, as
it's sort of work for them, and hereby volunteer to
donate EUR 25.-- to get this done.
I also volunteer to write a HTML page explaining the
concept, which can be included on the website, in both
English and German.
If this sounds reasonable and not too much work for
the developers, I would be glad to receive feedback
Anyways, I hereby call for discussion on misc@ or
any better-suited place (comp.os.unix.openbsd.misc?).
Yes, I am root on my box, my friends' boxen and my mailgate.
And yes, I do know how to handle it. Yes, I know about kill-
rules, too. So WTF do you still bother filling my syslog?