Re: ssl security desaster

To: Russ Allbery <rra@debian.org>
Cc: debian-devel@lists.debian.org
Subject: Re: ssl security desaster
From: Adam Majer <adamm@zombino.com>
Date: Fri, 16 May 2008 15:27:42 -0500
Message-id: <[🔎] 482DEE3E.8070206@zombino.com>
In-reply-to: <[🔎] 87skwjboyf.fsf@windlord.stanford.edu>
References: <[🔎] 1210853087.16247.13.camel@localhost> <[🔎] 87skwjboyf.fsf@windlord.stanford.edu>

Russ Allbery wrote:
> Martin Uecker <muecker@gwdg.de> writes:
> 
>> In this case, the security advisory should clearly be updated. And all
>> advise about searching for weak keys should be removed as well, because
>> it leads to false sense of security. In fact, *all* keys used on Debian
>> machines should be considered compromised.
> 
> All *DSA* keys.  RSA keys do not have the same problem, as I understand
> it.

Err, how so??

RSA keys generated with broken OpenSSL need replacing. This means SSL
certificates, CA, etc....

But RSA keys (for SSL, as an example), generated on good OpenSSL but
used on Etch servers are ok?

- Adam

Reply to:

Follow-Ups:
- Re: ssl security desaster
  - From: Mike Hommey <mh@glandium.org>

References:
- ssl security desaster (was: Re: SSH keys: DSA vs RSA)
  - From: Martin Uecker <muecker@gwdg.de>
- Re: ssl security desaster
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: How to handle Debian patches
Next by Date: Re: How to handle Debian patches
Previous by thread: Re: ssl security desaster
Next by thread: Re: ssl security desaster
Index(es):
- Date
- Thread