Re: HTTPS trust anchors in sysinst

[Mouse <mouse%Rodents-Montreal.ORG@localhost>]

> [*] We should _also_ bake a public signature verification key into
>     the installers that can verify a signature on the sets which can
>     in turn be made only by TNF -- not by any of the public HTTPS
>     CAs.  But that's a separate issue that requires more key
>     management and software verifier setup than we have settled now.

Once you have that, it seems to me that the use of SSL on either HTTP
or FTP becomes pointless CPU cycle wasting.  This then leads me to
wonder two things: (1) is doing SSL a case of the good being the enemy
of the best (because people will fall into the trap of thinking that
SSL means "it's secure" without asking "...against what?"[%])? and (2)
is all this kerfuffle about CA trust anchors effort that would better
be put into designing and building the right answer?

Also, if you're doing public-key crypto - for anything - in the
installers, this will drastically, I am tempted to say
catastrophically, slow down installation on low-end machines, like a
MicroVAX-II or Sun-3.  (Of course, NetBSD might be fine with that.  I
just think it should be at least thought about.)

[%] I recently - less than a week ago - had someone try to tell me that
the use of HTTPS by a website would make that website harder to crack,
when it actually would be either the same or easier (more exposed
attack surface).  Clearly a case of misunderstanding what HTTPS does
and doesn't secure - but if that sort of thinking is common....

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse%rodents-montreal.org@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B