lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 8 Aug 2008 13:47:10 -0700
From: Peter Williams <pwilliams@...attoni.com>
To: "Eddy Nigg (StartCom Ltd.)" <eddy_nigg@...rtcom.org>, Ben Laurie
	<benl@...gle.com>
Cc: "security@...nid.net" <security@...nid.net>,
	"full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
	"bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
	OpenID List <general@...nid.net>,
	"cryptography@...zdowd.com" <cryptography@...zdowd.com>
Subject: Re: [OpenID] OpenID/Debian PRNG/DNS Cache
	poisoning advisory

It did seem strange that openid was singled out. The publicity will be only beneficial, however. Openid had no pretentions to grandeur in the higher assurance arena, of course. Now it getting more relevant, of course increasing relevancy now begs the question: should that stance continue? Who wants to rely on openid for blog spamming protection or antiphishing (both claims made about openid) if they don't really work!

________________________________
From: Eddy Nigg (StartCom Ltd.) <eddy_nigg@...rtcom.org>
Sent: Friday, August 08, 2008 3:30 PM
To: Ben Laurie <benl@...gle.com>
Cc: security@...nid.net <security@...nid.net>; full-disclosure@...ts.grok.org.uk <full-disclosure@...ts.grok.org.uk>; bugtraq@...urityfocus.com <bugtraq@...urityfocus.com>; OpenID List <general@...nid.net>; cryptography@...zdowd.com <cryptography@...zdowd.com>
Subject: Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory

Ben Laurie:


If you have a better forum, bring it on.

However, CAs do not have everything at their disposal to remove the
threat. Browsers,OpenID libraries and RPs must also participate.


Yes! First of all you've got the dev.tech.crypto mailing list at Mozilla where this issue has been discussed with the partition of various CAs including us (StartCom), Verisign, Comodo and some others. As a result of this discussion, StartCom revoked all affected keys after notifying the subscribers, Verisign and Comodo scanned and pinged all affected subscribers and may have revoked subscriber keys (not sure about the latter, but Comodo reserved the right to do so, not sure if they actually did). The list is at https://lists.mozilla.org/listinfo/dev-tech-crypto

Another good forum might be the CA/Browser forum at http://www.cabforum.org/
I'm not aware if this issue was discussed there.



Just as saying "buffer overflows are bad" has not magically caused all
buffer overflows to be fixed, I am confident that the only way to get
this problem fixed is to chase down all the culprits individually.

As I indicated, I believe this to be the wrong approach - specially not targeting OpenID whose following is still rather smallish compared to others...You still can find many affected sites and services including financial institutions (banks), government agencies and more...finding a few OpenID OPs is certainly not a surprise (I was surprised to learn about SUN having an affected key however ;-) ) since around 3 % of all web sites were affected before disclosure.


I am sure that OpenID is not the only thing with problems, as you say.


Nope! I'll be glad to facilitate and help you to advance awareness at any forum you choose, which hopefully will have a better effect overall, than to single out specific standards and services. In that respect I suggest to change the current advisory relating to OpenID.


Regards

Signer:         Eddy Nigg, StartCom Ltd.<http://www.startcom.org>
Jabber:         startcom@...rtcom.org<xmpp:startcom@...rtcom.org>
Blog:   Join the Revolution!<http://blog.startcom.org>
Phone:  +1.213.341.0390


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists