Bugtraq mailing list archives
RE: OpenID/Debian PRNG/DNS Cache poisoning advisory
From: "Leichter, Jerry" <leichter_jerrold () emc com>
Date: Fri, 8 Aug 2008 13:04:16 -0400 (EDT)
On Fri, 8 Aug 2008, Dave Korn wrote: | > Isn't this a good argument for blacklisting the keys on the client | > side? | | Isn't that exactly what "Browsers must check CRLs" means in this | context anyway? What alternative client-side blacklisting mechanism | do you suggest? Since the list of bad keys is known and fairly short, one could explicitly check for them in the browser code, without reference to any external CRL. Of course, the browser itself may not see the bad key - it may see key for something that *contains* a bad key. So such a check would not be complete. Still, it couldn't hurt. One could put similar checks everywhere that keys are used. Think of it as the modern version of code that checks for and rejects DES weak and semi-weak keys. The more code out there that does the check, the faster bad keys will be driven out of use. -- Jerry
Current thread:
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory, (continued)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Nicolas Williams (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Leichter, Jerry (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Eric Rescorla (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Forrest J. Cavalier III (Aug 12)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Leichter, Jerry (Aug 12)
- key blacklisting & file size (was: OpenID/Debian PRNG/DNS Cache poisoning advisory) Solar Designer (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Florian Weimer (Aug 12)
- Message not available
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Ben Laurie (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Stefan Kanthak (Aug 12)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Tim Dierks (Aug 12)
- RE: OpenID/Debian PRNG/DNS Cache poisoning advisory Leichter, Jerry (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Ben Laurie (Aug 12)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Ben Laurie (Aug 12)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Ben Laurie (Aug 12)