[OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Fri Aug 8 19:13:41 UTC 2008
Dick Hardt:
> On 8-Aug-08, at 10:11 AM, Ben Laurie wrote:
>
>> It also only fixes this single type of key compromise. Surely it is
>> time to stop ignoring CRLs before something more serious goes wrong?
>>
>
> Clearly many implementors have chosen to *knowingly* ignore CRLs
> despite the security implications
>
Please note that Firefox 3 implements OCSP checking which is turned on
by default. It's more efficient than CRLs...in that respect also note
that some CAs don't support CRL distribution points in the end user
certificates nor OCSP at all. Obviously those are details a subscriber
should check before purchasing a certificate.
Also subscribers share the responsibilities with the CA in cases such as
the Debian fiasco, most CAs have refrained from detecting and revoking
affected certificates. Just to make it clear that this problem isn't
specific to OpenID but all web sites and we discussed this issue
extensively over at Mozilla (dev.tech.crypto).
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Phone: +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080808/3d57dfd4/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7327 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080808/3d57dfd4/attachment-0002.bin>
More information about the general
mailing list