[OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Fri Aug 8 19:27:13 UTC 2008 

Ben Laurie:
> On Fri, Aug 8, 2008 at 12:44 PM, Eddy Nigg (StartCom Ltd.)
> <eddy_nigg at startcom.org>  wrote:
>    
>> This affects any web site and service provider of various natures. It's not
>> exclusive for OpenID nor for any other protocol / standard / service! It may
>> affect an OpenID provider if it uses a compromised key in combination with
>> unpatched DNS servers. I don't understand why OpenID is singled out, since
>> it can potentially affect any web site including Google's various services
>> (if Google would have used Debian systems to create their private keys).
>>      
>
> OpenID is "singled out" because I am not talking about a potential
> problem but an actual problem.
>    

Sorry Ben, but any web site or service (HTTP, SMPT, IMAP, SSH, VPN, etc) 
which makes use of a compromised key has an actual problem and not *a* 
potential problem. Open ID as a standard isn't more affected than, lets 
say XMPP...If there are servers and providers relying on such keys the 
have a real actual problem. I don't see your point about Open ID nor 
didn't I see anything new....

The problem of weak keys should be dealt at the CA level, many which 
have failed to do anything serious about it.

> We have spotted other actual problems in other services. Details will
> be forthcoming at appropriate times.
>    

I think it's superfluous to single out different services since any 
service making use of the weak keys is affected, with recent discovery 
of DNS poisoning making the matter worse. I suggest you try a forum 
which can potentially reach many CAs, they in fact have everything at 
their disposal to remove this threat!


Regards
Signer: 	Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Phone: 	+1.213.341.0390



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080808/8cc69f3e/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7327 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080808/8cc69f3e/attachment-0002.bin>

More information about the general mailing list