lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 08 Aug 2008 23:14:55 +0300
From: "Eddy Nigg (StartCom Ltd.)" <eddy_nigg@...rtcom.org>
To: Ben Laurie <benl@...gle.com>
Cc: security@...nid.net, full-disclosure@...ts.grok.org.uk,
	bugtraq@...urityfocus.com, OpenID List <general@...nid.net>,
	cryptography@...zdowd.com
Subject: Re: [OpenID] OpenID/Debian PRNG/DNS Cache
	poisoning advisory

Ben Laurie:
>
> If you have a better forum, bring it on.
>
> However, CAs do not have everything at their disposal to remove the
> threat. Browsers,OpenID libraries and RPs must also participate.
>    

Yes! First of all you've got the dev.tech.crypto mailing list at Mozilla 
where this issue has been discussed with the partition of various CAs 
including us (StartCom), Verisign, Comodo and some others. As a result 
of this discussion, StartCom revoked all affected keys after notifying 
the subscribers, Verisign and Comodo scanned and pinged all affected 
subscribers and may have revoked subscriber keys (not sure about the 
latter, but Comodo reserved the right to do so, not sure if they 
actually did). The list is at 
https://lists.mozilla.org/listinfo/dev-tech-crypto

Another good forum might be the CA/Browser forum at http://www.cabforum.org/
I'm not aware if this issue was discussed there.

> Just as saying "buffer overflows are bad" has not magically caused all
> buffer overflows to be fixed, I am confident that the only way to get
> this problem fixed is to chase down all the culprits individually.

As I indicated, I believe this to be the wrong approach - specially not 
targeting OpenID whose following is still rather smallish compared to 
others...You still can find many affected sites and services including 
financial institutions (banks), government agencies and more...finding a 
few OpenID OPs is certainly not a surprise (I was surprised to learn 
about SUN having an affected key however ;-) ) since around 3 % of all 
web sites were affected before disclosure.

> I am sure that OpenID is not the only thing with problems, as you say.
>    

Nope! I'll be glad to facilitate and help you to advance awareness at 
any forum you choose, which hopefully will have a better effect overall, 
than to single out specific standards and services. In that respect I 
suggest to change the current advisory relating to OpenID.


Regards
Signer: 	Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: 	startcom@...rtcom.org <xmpp:startcom@...rtcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Phone: 	+1.213.341.0390



Content of type "text/html" skipped

Download attachment "smime.p7s" of type "application/pkcs7-signature" (7327 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ