[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 08 Aug 2008 13:44:07 -0400
From: Gerald Beuchelt <beuchelt@....com>
To: Dick Hardt <dick@...p.com>
Cc: cryptography@...zdowd.com, Eric Rescorla <ekr@...workresonance.com>,
Dave Korn <dave.korn@...imi.com>,
full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
OpenID List <general@...nid.net>, security@...nid.net
Subject: Re: [OpenID] OpenID/Debian PRNG/DNS Cache
poisoning advisory
Dick Hardt wrote:
> On 8-Aug-08, at 10:11 AM, Ben Laurie wrote:
>
>> It also only fixes this single type of key compromise. Surely it is
>> time to stop ignoring CRLs before something more serious goes wrong?
>>
>
> Clearly many implementors have chosen to *knowingly* ignore CRLs
> despite the security implications, so my take away would be that the
> current public key infrastructure is flawed.
>
>
Well, they might have done this *knowingly*, but--at least for
some--I doubt that they *know* what they have done. IMO, it is bad
practice to implement only half of a protocol/standard for any reason
(especially out of laziness or ignorance), but that is what using
certificates without CRL checking amounts to.
If we believe that the current PKI was truly flawed, it would be an
act of gross negligence to use it for anything requiring a properly
secured communication channel.
To extend Ben's advice: Decide if you want to use the current PKI.
If so, implement CRL checking.
Gerald
> -- Dick
>
> _______________________________________________
> general mailing list
> general@...nid.net
> http://openid.net/mailman/listinfo/general
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists