Full Disclosure mailing list archives
Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory
From: "Eddy Nigg (StartCom Ltd.)" <eddy_nigg () startcom org>
Date: Fri, 08 Aug 2008 22:13:41 +0300
Dick Hardt:
On 8-Aug-08, at 10:11 AM, Ben Laurie wrote:It also only fixes this single type of key compromise. Surely it is time to stop ignoring CRLs before something more serious goes wrong?Clearly many implementors have chosen to *knowingly* ignore CRLs despite the security implications
Please note that Firefox 3 implements OCSP checking which is turned on by default. It's more efficient than CRLs...in that respect also note that some CAs don't support CRL distribution points in the end user certificates nor OCSP at all. Obviously those are details a subscriber should check before purchasing a certificate.
Also subscribers share the responsibilities with the CA in cases such as the Debian fiasco, most CAs have refrained from detecting and revoking affected certificates. Just to make it clear that this problem isn't specific to OpenID but all web sites and we discussed this issue extensively over at Mozilla (dev.tech.crypto).
Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: startcom () startcom org <xmpp:startcom () startcom org> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory, (continued)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Eric Rescorla (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Dave Korn (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Eric Rescorla (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Ben Laurie (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Perry E. Metzger (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Nicolas Williams (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Paul Hoffman (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Nicolas Williams (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Dave Korn (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Eric Rescorla (Aug 08)
- Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory Dick Hardt (Aug 08)
- Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory Gerald Beuchelt (Aug 08)
- Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory Eddy Nigg (StartCom Ltd.) (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Dave Korn (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Dan Guido (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Jin Sei (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Peter Gutmann (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Dan Kaminsky (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Eric Rescorla (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Florian Weimer (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Nicolas Williams (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Leichter, Jerry (Aug 08)
- Re: OpenID/Debian PRNG/DNS Cache poisoning advisory Eric Rescorla (Aug 08)