Re: openssl-blacklist & two keys per one pid

To: Jan Tomasek <jan@tomasek.cz>
Cc: Dirk-Willem van Gulik <dirkx@webweaving.org>, Kees Cook <kees@ubuntu.com>, Jamie Strandboge <jamie@ubuntu.com>, debian-security@lists.debian.org
Subject: Re: openssl-blacklist & two keys per one pid
From: Florian Weimer <fw@deneb.enyo.de>
Date: Mon, 19 May 2008 21:52:03 +0200
Message-id: <[🔎] 874p8urs0s.fsf@mid.deneb.enyo.de>
In-reply-to: <[🔎] 4831D767.3090704@tomasek.cz> (Jan Tomasek's message of "Mon, 19 May 2008 21:39:19 +0200")
References: <[🔎] 4830B725.7070104@tomasek.cz> <[🔎] 20080518233458.GF12850@outflux.net> <[🔎] 874p8u5vyx.fsf@mid.deneb.enyo.de> <[🔎] 451143B7-9F52-4826-88DE-9FC8E48E27B8@webweaving.org> <[🔎] 87prri314b.fsf@mid.deneb.enyo.de> <[🔎] 3B800331-AD38-4AB7-868F-8B94AFDB65B5@webweaving.org> <[🔎] 87wslq1ll5.fsf@mid.deneb.enyo.de> <[🔎] E22FA658-464C-480E-B312-BE899EFFC630@webweaving.org> <[🔎] 4831D767.3090704@tomasek.cz>

* Jan Tomasek:

> This is good argument. When I was trying to secure my systems from
> weak SSH keys. I decided to use ssh-vulnkey and build blacklists by
> myself from work of H D Moore. I do not trust dowkd.pl script because
> it lacks info where keys were taken.

We did not want to publish this information in order to give system
administrators at least a tiny bit of lead in patching and reconfiguring
their systems.

> It also reported 0 weak keys even if there were keys of rare length, I
> presume unknown to dowkd.pl. I agree that there is need to have tool
> which everyone can easy verify.

Yes, this was a serious issue in the user interface, but it has been
fixed in the meantime.

> If Debian or Ubuntu Security teams are interested I can share private
> keys with them, but publishing them on web really isn't good idea.

For me, dowkd-compatible fingerprints are enough in most cases.  Only if
there is a discrepancy (perhaps due to a random bit flip), we might need
the keys for comparison.

Reply to:

Follow-Ups:
- Re: openssl-blacklist & two keys per one pid
  - From: Dirk-Willem van Gulik <dirkx@webweaving.org>

References:
- openssl-blacklist & two keys per one pid
  - From: Jan Tomasek <jan@tomasek.cz>
- Re: openssl-blacklist & two keys per one pid
  - From: Kees Cook <kees@ubuntu.com>
- Re: openssl-blacklist & two keys per one pid
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: openssl-blacklist & two keys per one pid
  - From: Dirk-Willem van Gulik <dirkx@webweaving.org>
- Re: openssl-blacklist & two keys per one pid
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: openssl-blacklist & two keys per one pid
  - From: Dirk-Willem van Gulik <dirkx@webweaving.org>
- Re: openssl-blacklist & two keys per one pid
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: openssl-blacklist & two keys per one pid
  - From: Dirk-Willem van Gulik <dirkx@webweaving.org>
- Re: openssl-blacklist & two keys per one pid
  - From: Jan Tomasek <jan@tomasek.cz>

Prev by Date: Re: openssl-blacklist & two keys per one pid
Next by Date: RE: [SECURITY] [DSA 1576-1] New openssh packages fix predictable randomness
Previous by thread: Re: openssl-blacklist & two keys per one pid
Next by thread: Re: openssl-blacklist & two keys per one pid
Index(es):
- Date
- Thread