On Wed, 21 May 2008, Jan Tomasek wrote: > Jamie Strandboge wrote: >>> I discovered that there is also 3rd key which you get if you pass >>> empty file by -rand. Keys created in this way are still the same so >>> it's another possible compromised key. I'm not sure if it worth >>> spend time on counting this keys... >>> >> Empty files vs non-existent result in the same key here. > > > http://pocitace.tomasek.cz/debian-randomness/ > > Checkout section Demonstration. I do not speak about non existent .rnd > which is created after the first call. I speak about any other non > existent file specified by -rand option. That produces third key. But as > I said before, I do not expect users use it this very stupid way. > Interesting. I agree that this is definitely a non-default case, and while Ubuntu is not going to actively pursue generating these keys (unless it can be shown that there are a lot of them out there), we would be willing to package up a separate blacklist package for it. Jamie -- Ubuntu Security Engineer | http://www.ubuntu.com/ Canonical Ltd. | http://www.canonical.com/
Attachment:
signature.asc
Description: Digital signature