[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <489CA93F.5030907@startcom.org>
Date: Fri, 08 Aug 2008 23:14:55 +0300
From: "Eddy Nigg (StartCom Ltd.)" <eddy_nigg@...rtcom.org>
To: Ben Laurie <benl@...gle.com>
Cc: security@...nid.net, full-disclosure@...ts.grok.org.uk,
bugtraq@...urityfocus.com, OpenID List <general@...nid.net>,
cryptography@...zdowd.com
Subject: Re: [OpenID] OpenID/Debian PRNG/DNS Cache
poisoning advisory
Ben Laurie:
>
> If you have a better forum, bring it on.
>
> However, CAs do not have everything at their disposal to remove the
> threat. Browsers,OpenID libraries and RPs must also participate.
>
Yes! First of all you've got the dev.tech.crypto mailing list at Mozilla
where this issue has been discussed with the partition of various CAs
including us (StartCom), Verisign, Comodo and some others. As a result
of this discussion, StartCom revoked all affected keys after notifying
the subscribers, Verisign and Comodo scanned and pinged all affected
subscribers and may have revoked subscriber keys (not sure about the
latter, but Comodo reserved the right to do so, not sure if they
actually did). The list is at
https://lists.mozilla.org/listinfo/dev-tech-crypto
Another good forum might be the CA/Browser forum at http://www.cabforum.org/
I'm not aware if this issue was discussed there.
> Just as saying "buffer overflows are bad" has not magically caused all
> buffer overflows to be fixed, I am confident that the only way to get
> this problem fixed is to chase down all the culprits individually.
As I indicated, I believe this to be the wrong approach - specially not
targeting OpenID whose following is still rather smallish compared to
others...You still can find many affected sites and services including
financial institutions (banks), government agencies and more...finding a
few OpenID OPs is certainly not a surprise (I was surprised to learn
about SUN having an affected key however ;-) ) since around 3 % of all
web sites were affected before disclosure.
> I am sure that OpenID is not the only thing with problems, as you say.
>
Nope! I'll be glad to facilitate and help you to advance awareness at
any forum you choose, which hopefully will have a better effect overall,
than to single out specific standards and services. In that respect I
suggest to change the current advisory relating to OpenID.
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: startcom@...rtcom.org <xmpp:startcom@...rtcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Phone: +1.213.341.0390
Content of type "text/html" skipped
Download attachment "smime.p7s" of type "application/pkcs7-signature" (7327 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists