[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Accepted openssh 1:4.7p1-9 (source all i386)

Joey Hess <joeyh@debian.org> writes:

> If ssh-keygen generates such a key today, openssl is broken. But if it
> happens a couple of years from now, you're probably just astronomically
> unlucky and the fixed openssl happened to still generate a key in the
> small set of weak keys. And in that hypothetical, the user probably
> doesn't know anything about what happened historically (today) and could
> be very puzzled that their shiny new key doesn't work.

Do we have a feel for how astronomically unlucky you have to get?  If it's
really astronomical, it's probably not worth worrying about.  (My general
rule of thumb on that sort of thing is that if the chances of a collision
are lower than the chances of hardware failure during the course of the
operation, it's probably not worth taking any special safeguards.)

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>
Reply to: