Re: ssl security desaster

[Mike Hommey <mh@glandium.org>]

On Fri, May 16, 2008 at 03:27:42PM -0500, Adam Majer wrote:
> Russ Allbery wrote:
> > Martin Uecker <muecker@gwdg.de> writes:
> > 
> >> In this case, the security advisory should clearly be updated. And all
> >> advise about searching for weak keys should be removed as well, because
> >> it leads to false sense of security. In fact, *all* keys used on Debian
> >> machines should be considered compromised.
> > 
> > All *DSA* keys.  RSA keys do not have the same problem, as I understand
> > it.
> 
> Err, how so??
> 
> RSA keys generated with broken OpenSSL need replacing. This means SSL
> certificates, CA, etc....
> 
> But RSA keys (for SSL, as an example), generated on good OpenSSL but
> used on Etch servers are ok?

Yes.

Mike