Full Disclosure mailing list archives

Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory

From: Gerald Beuchelt <beuchelt () sun com>
Date: Fri, 08 Aug 2008 13:44:07 -0400

Dick Hardt wrote:

On 8-Aug-08, at 10:11 AM, Ben Laurie wrote:
It also only fixes this single type of key compromise. Surely it is
time to stop ignoring CRLs before something more serious goes wrong?
Clearly many implementors have chosen to *knowingly* ignore CRLsdespite the security implications, so my take away would be that thecurrent public key infrastructure is flawed.

Well, they might have done this *knowingly*, but--at least forsome--I doubt that they *know* what they have done. IMO, it is badpractice to implement only half of a protocol/standard for any reason(especially out of laziness or ignorance), but that is what usingcertificates without CRL checking amounts to.

If we believe that the current PKI was truly flawed, it would be anact of gross negligence to use it for anything requiring a properlysecured communication channel.

To extend Ben's advice: Decide if you want to use the current PKI.If so, implement CRL checking.


Gerald

-- Dick

_______________________________________________
general mailing list
general () openid net
http://openid.net/mailman/listinfo/general

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory, (continued)
- - - Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory Eddy Nigg (StartCom Ltd.) (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Eric Rescorla (Aug 08)
  - Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Dave Korn (Aug 08)
    - Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Eric Rescorla (Aug 08)
    - Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Ben Laurie (Aug 08)
    - Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Perry E. Metzger (Aug 08)
    - Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Nicolas Williams (Aug 08)
    - Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Paul Hoffman (Aug 08)
    - Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Nicolas Williams (Aug 08)
    - Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory Dick Hardt (Aug 08)
    - Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory Gerald Beuchelt (Aug 08)
    - Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory Eddy Nigg (StartCom Ltd.) (Aug 08)
    - Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Dave Korn (Aug 08)
    - Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Dan Guido (Aug 08)
    - Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Jin Sei (Aug 08)
    - Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Peter Gutmann (Aug 08)
    - Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Dan Kaminsky (Aug 08)
    - Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Eric Rescorla (Aug 08)
    - Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Florian Weimer (Aug 08)
    - Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Nicolas Williams (Aug 08)
    - Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Leichter, Jerry (Aug 08)

(Thread continues...)