On Mon, 19 May 2008, Jan Tomasek wrote: > Kees Cook wrote: >>> The rule is simple. When the ~/.rnd file doesn't exist I get one key >>> and in other situation I get another (that listed in Ubuntu >>> openssl-blacklist) key. Because of this problem openssl-blacklist has >>> to be twice big than openssh-blacklist. I developed simple shell >>> scripts to generate list of all key lengths we are interested in. >>> They are attached. >> >> Yes, this was realized during the generation of the openssl-blacklist in >> Ubuntu. We're expecting to have the more complete lists published soon, >> for all 3 architectures. These are published now, and also in Debian. > I discovered that there is also 3rd key which you get if you pass empty > file by -rand. Keys created in this way are still the same so it's > another possible compromised key. I'm not sure if it worth spend time on > counting this keys... > Empty files vs non-existent result in the same key here. > What is your 3rd architecture? On Ubuntu pages I see only PC (Intel x86) > desktop CD and 64-bit PC (AMD64) desktop CD? > powerpc/sparc. It's in ports and not an officially supported architecture anymore. Jamie -- Ubuntu Security Engineer | http://www.ubuntu.com/ Canonical Ltd. | http://www.canonical.com/
Attachment:
signature.asc
Description: Digital signature