[OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory
Peter Williams
pwilliams at rapattoni.com
Fri Aug 8 18:31:53 UTC 2008
Are you implying that , for openid auth that does not use https (with pki-leveraging ciphersuites, where the pki uses crls), that one would be "grossly negligent" to use the core dh key agreement handshake defined by david and co?
Perhaps I should the question more simply?
Would you support making it mandatory that openid binds to (commodity) https (vs http)?
________________________________
From: Gerald Beuchelt <beuchelt at sun.com>
Sent: Friday, August 08, 2008 12:45 PM
To: Dick Hardt <dick at sxip.com>
Cc: cryptography at metzdowd.com <cryptography at metzdowd.com>; Eric Rescorla <ekr at networkresonance.com>; Dave Korn <dave.korn at artimi.com>; full-disclosure at lists.grok.org.uk <full-disclosure at lists.grok.org.uk>; bugtraq at securityfocus.com <bugtraq at securityfocus.com>; OpenID List <general at openid.net>; security at openid.net <security at openid.net>
Subject: Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory
Dick Hardt wrote:
On 8-Aug-08, at 10:11 AM, Ben Laurie wrote:
It also only fixes this single type of key compromise. Surely it is
time to stop ignoring CRLs before something more serious goes wrong?
Clearly many implementors have chosen to *knowingly* ignore CRLs
despite the security implications, so my take away would be that the
current public key infrastructure is flawed.
Well, they might have done this *knowingly*, but--at least for some--I doubt that they *know* what they have done. IMO, it is bad practice to implement only half of a protocol/standard for any reason (especially out of laziness or ignorance), but that is what using certificates without CRL checking amounts to.
If we believe that the current PKI was truly flawed, it would be an act of gross negligence to use it for anything requiring a properly secured communication channel.
To extend Ben's advice: Decide if you want to use the current PKI. If so, implement CRL checking.
Gerald
-- Dick
_______________________________________________
general mailing list
general at openid.net<mailto:general at openid.net>
http://openid.net/mailman/listinfo/general
More information about the general
mailing list