[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVS server public keys



> 
> You know, we really need to add each server's public keys to the cvs page
> on openbsd.org. Certain machines have their keys changed rather often it
> seems and it would be nice to know what's going on when you see the
> "warning" messages.
> 

	True, however many of the machines allow rsh access anyhow, so
being protected from man-in-the-middle on an anoncvs transaction isn't
as much of a priority as anoncvs being accessible. As for knowing
what's going on - *mail the site maintainer*, particularly seeing as
you're probably not likely to see a public key on a web page *before*
you connect and see the message about the key changing. It's awkward
enough to verify for most people that even with a key on the web page
they won't do it.

	If we are truly concerned about an anoncvs transaction being
compromised en route, worry about rsh and pserver connections
first. (rsh accounts for about half of the connections to anoncvs1.ca
at the moment I believe) If we go that far (not saying we should) then
worry about things like publishing ssh public keys.
 
	-Bob