Re: Code signing in OpenBSD

view
thread

Score:

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

[view in full thread]

From: Lars Noodén <larsnooden@...>

To: Hannah Schroeter <hannah@...>

Cc: Misc OpenBSD <misc@...>

Subject: Re: Code signing in OpenBSD

Date: Thursday, December 6, 2007 - 10:01 am

Hannah Schroeter wrote:
quoted text> ...
>> AFS is also encrypted, but unless its used to
>> get all the tarballs and make them accessible locally (e.g. make a cd)
>> it's not a help during the installation.
> 
> I don't know enough about AFS to say anything about how to secure it
> from the beginning on.

I'm not very knowledgeable, but have been looking at the documenation
lately:
	http://www.openafs.org/pages/doc/AdminGuide/auagd007.htm#HDRWQ75

quoted text> ...
>> Given the existence of Windows servers (aka compromised machines) on
>> many networks, there are many chances for traffic to be intercepted,
>> often even DNS.  So man-in-the-middle attacks appear to be theoretically
>> easy during the first part of an OpenBSD network installation.
> 
> Yes, alas. And especially, for government "legal" interception, where
> they could legally enlist help from ISPs.

So, intentional (corporate or government agreement with ISP) or
unintentional (use of M$ on ISP DNS server), could allow the initial
installation to become compromised, perhaps in a hard-to-detect way.

None of this seems to be solved in the installation guide:
	http://openbsd.org/faq/faq4.html

Again, it looks like it might come down to keys or fingerprints and that
the network install might be depreciated.  Rather, download, verify,
then install.

-Lars

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

Re: Code signing in OpenBSD, Lars Noodén, (Thu Dec 6, 10:01 am)

Re: Code signing in OpenBSD, bofh, (Thu Dec 6, 10:47 am)

Re: Code signing in OpenBSD, Lars Noodén, (Thu Dec 6, 11:12 am)

Re: Code signing in OpenBSD, bofh, (Thu Dec 6, 11:21 am)

Navigation

Mail archive search

Popular discussions


linux-kernel:
Greg KH	[GIT PATCH] driver core patches against 2.6.24
Greg KH	Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linux interface for on access scan...
Bart Van Assche	Integration of SCST in the mainstream Linux kernel
Parag Warudkar	BUG: soft lockup - CPU#1 stuck for 15s! [swapper:0]
git:
Jakub Narebski	Re: VCS comparison table
Jakub Narebski	Git User's Survey 2007 unfinished summary continued
Linus Torvalds	I'm a total push-over..
Marco Costalba	Decompression speed: zip vs lzo
openbsd-misc:
Richard Stallman	Real men don't attack straw men
GVG GVG	ssh_exchange_identification: Connection closed by remote host
Marcos Laufer	dmesg IBM x3650 OpenBSD 4.3
Bill Chmura	SSL Certs on Carp'd web servers
linux-netdev:
Denys Fedoryshchenko	thousands of classes, e1000 TX unit hang
Steve French	Fwd: [PATCH] Fix CIFS compilation with CONFIG_KEYS unset
Jens Axboe	Re: [BUG] New Kernel Bugs
KOSAKI Motohiro	[bug?] tg3: Failed to load firmware "tigon/tg3_tso.bin"

Latest forum posts


Treason Uncloaked	3 hours ago	Linux kernel
Shared swap partition	14 hours ago	Linux general
high memory	2 days ago	Linux kernel
semaphore access speed	2 days ago	Applications and Utilities
the kernel how to power off the machine	2 days ago	Linux kernel
Easter Eggs in windows XP	2 days ago	Windows
Root password	2 days ago	Linux general
Where/when DNOTIFY is used?	2 days ago	Linux kernel
How to convert Linux Kernel built-in module into a loadable module	2 days ago	Linux kernel
Linux 2.6.24 and I/O schedulers	2 days ago	Linux kernel

Show all forums...

Recent Tags

Linux -rc Linus Torvalds -rc8 quote Intel bugs 2.6.27 2.6.27-rc8

more tags

Colocation donated by:

Online users

Syndicate