Re: Plans to deploy openssl-blacklist in Debian?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 16-05-2008 06:34, Kees Cook wrote:
> On Thu, May 15, 2008 at 09:31:25PM -0300, Felipe Augusto van de Wiel (faw) wrote:
>> Speaking about that, are there plans to deploy
>> openssl-blacklist in Debian as an official package?
>
> I'd be happy to get the Ubuntu blacklists into Debian -- honestly I
> haven't had time yet (travelling, Ubuntu responsibilities, etc).
>
> Given the sizes of the various blacklists, I'd like to perhaps provide
> multiple packages. The openssh-blacklist was a balance between size and
> default-generated keys. I'd like to add packages for -rsa1024 and
> -rsa4096, etc. This could be done for openssl too, I think.
>
> There has been some confusion (well, lack of public information) about
> generating the blacklists. Since this is mostly public now with H D
> Moore's site[1], the random number streams were affected by three
> things:
>
> 1) process ID
> 2) sizeof(long)
> 3) endian-ness
>
> Presently, every combination of these for default dsa1024 and rsa2048
> went into openssh-blacklist. openssl-blacklist contains one additional
> case: the existence of the .rnd file, which added another binary state,
> doubling the size of those blacklists.
>
> Then finally we could have a -all that installed all of them if someone
> wanted it.
>
> openvpn also needs blacklists, since it is another unique key generation
> package. There may be others beyond that. Jamie Strandboge (Cc'd)
> has been researching the blacklists (and built the ssl and openvpn
> blacklists in Ubuntu).
>
> -Kees
>
> [1] http://metasploit.com/users/hdm/tools/debian-openssl/
I don't know if Security Team is aware of it or is
working on it, since they are quite busy, I'm cc:ing them
so they are aware of it. I saw that Alberto Gonzalez also
commented about OpenVPN blacklist on debian-security.
Kind regards,
- --
Felipe Augusto van de Wiel (faw)
"Debian. Freedom to code. Code to freedom!"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFILdxuCjAO0JDlykYRCIBNAJwL+kBMmNse+hDyuWvqgh6ApRyZkQCeJeGb
M1upZWgECxoNNjRa75PIvMo=
=1bRe
-----END PGP SIGNATURE-----
Reply to: