Full Disclosure mailing list archives
Re: OpenID/Debian PRNG/DNS Cache poisoning advisory
From: pgut001 () cs auckland ac nz (Peter Gutmann)
Date: Sat, 09 Aug 2008 05:49:42 +1200
Eric Rescorla <ekr () networkresonance com> writes:
It's easy to compute all the public keys that will be generated by the broken PRNG. The clients could embed that list and refuse to accept any certificate containing one of them. So, this is distinct from CRLs in that it doesn't require knowing which servers have which cert...
You'd also end up with a rather large list for the client to carry around, which would be especially problematic for lightweight clients. You'd need to represent it as something like a Bloom filter to avoid this (given that most users will just click OK on invalid certs, the small false positive rate shouldn't have much effect either :-). Peter. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory, (continued)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Perry E. Metzger (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Nicolas Williams (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Paul Hoffman (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Nicolas Williams (Aug 08)
- Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory Dick Hardt (Aug 08)
- Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory Gerald Beuchelt (Aug 08)
- Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory Eddy Nigg (StartCom Ltd.) (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Dave Korn (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Dan Guido (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Jin Sei (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Peter Gutmann (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Dan Kaminsky (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Eric Rescorla (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Florian Weimer (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Nicolas Williams (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Leichter, Jerry (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Eric Rescorla (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Leichter, Jerry (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Forrest J. Cavalier III (Aug 09)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Seth Breidbart (Aug 13)
- key blacklisting & file size (was: OpenID/Debian PRNG/DNS Cache poisoning advisory) Solar Designer (Aug 08)