Hannah Schroeter wrote:

quoted text
> ...

>> AFS is also encrypted, but unless its used to

>> get all the tarballs and make them accessible locally (e.g. make a cd)

>> it's not a help during the installation.

>

> I don't know enough about AFS to say anything about how to secure it

> from the beginning on.

I'm not very knowledgeable, but have been looking at the documenation

lately:

	http://www.openafs.org/pages/doc/AdminGuide/auagd007.htm#HDRWQ75
> ...

quoted text
>> Given the existence of Windows servers (aka compromised machines) on

>> many networks, there are many chances for traffic to be intercepted,

>> often even DNS.  So man-in-the-middle attacks appear to be theoretically

>> easy during the first part of an OpenBSD network installation.

>

> Yes, alas. And especially, for government "legal" interception, where

> they could legally enlist help from ISPs.

So, intentional (corporate or government agreement with ISP) or

unintentional (use of M$ on ISP DNS server), could allow the initial

installation to become compromised, perhaps in a hard-to-detect way.
None of this seems to be solved in the installation guide:

	http://openbsd.org/faq/faq4.html
Again, it looks like it might come down to keys or fingerprints and that

the network install might be depreciated.  Rather, download, verify,

then install.
-Lars