Harpalus a Como wrote:
What is the benefit of doing so? What's the point? Is the website so likely
to be hacked into, that the developers need to sign all communication just
to ensure that it comes from them? There's absolutely no need to signing
errata or official communications. Name one justifiable use for them. If the
OpenBSD developers didn't care about "secure communications", then OpenSSH
would not exist.
Can you dismiss PKI and the benefits that OpenPGP signatures provide to your user community? Knowing that xyz binary is signed by OpenBSD for distribution or abc email came from an official OpenBSD source is a good thing. Trojaned binaries and forged emails happen. PKI can help mitigate this. The benefit of PKI is widely known and accepted and does not need to be rehashed here. I'm surprised that OpenBSD (the most secure OS I know of) does not use it, that's all I'm saying. I also thought there would be a real reason for not doing so and there may in fact be and I may just be unaware of it.
