lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 08 Aug 2008 22:13:41 +0300
From: "Eddy Nigg (StartCom Ltd.)" <eddy_nigg@...rtcom.org>
To: Dick Hardt <dick@...p.com>
Cc: cryptography@...zdowd.com, Eric Rescorla <ekr@...workresonance.com>,
	Dave Korn <dave.korn@...imi.com>,
	full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
	OpenID List <general@...nid.net>, security@...nid.net
Subject: Re: [OpenID] OpenID/Debian PRNG/DNS Cache
	poisoning advisory

Dick Hardt:
> On 8-Aug-08, at 10:11 AM, Ben Laurie wrote:
>    
>> It also only fixes this single type of key compromise. Surely it is
>> time to stop ignoring CRLs before something more serious goes wrong?
>>      
>
> Clearly many implementors have chosen to *knowingly* ignore CRLs
> despite the security implications
>    

Please note that Firefox 3 implements OCSP checking which is turned on 
by default. It's more efficient than CRLs...in that respect also note 
that some CAs don't support CRL distribution points in the end user 
certificates nor OCSP at all. Obviously those are details a subscriber 
should check before purchasing a certificate.

Also subscribers share the responsibilities with the CA in cases such as 
the Debian fiasco, most CAs have refrained from detecting and revoking 
affected certificates. Just to make it clear that this problem isn't 
specific to OpenID but all web sites and we discussed this issue 
extensively over at Mozilla (dev.tech.crypto).


Regards
Signer: 	Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: 	startcom@...rtcom.org <xmpp:startcom@...rtcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Phone: 	+1.213.341.0390



Content of type "text/html" skipped

Download attachment "smime.p7s" of type "application/pkcs7-signature" (7327 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ