Re: [Full-disclosure] [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory

From: Gerald Beuchelt <beuchelt@xxxxxxx>
Date: Fri, 08 Aug 2008 13:44:07 -0400

Dick Hardt wrote:

On 8-Aug-08, at 10:11 AM, Ben Laurie wrote:

It also only fixes this single type of key compromise. Surely it is
time to stop ignoring CRLs before something more serious goes wrong?

Clearly many implementors have chosen to *knowingly* ignore CRLs despite the security implications, so my take away would be that the current public key infrastructure is flawed.

Well, they might have done this *knowingly*, but--at least for some--I doubt that they *know* what they have done. IMO, it is bad practice to implement only half of a protocol/standard for any reason (especially out of laziness or ignorance), but that is what using certificates without CRL checking amounts to.

If we believe that the current PKI was truly flawed, it would be an act of gross negligence to use it for anything requiring a properly secured communication channel.

To extend Ben's advice: Decide if you want to use the current PKI. If so, implement CRL checking.

Gerald

-- Dick

_______________________________________________
general mailing list
general@xxxxxxxxxx
http://openid.net/mailman/listinfo/general

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] OpenID/Debian PRNG/DNS Cache poisoning advisory
  - From: Ben Laurie
- Re: [Full-disclosure] OpenID/Debian PRNG/DNS Cache poisoning advisory
  - From: Eric Rescorla
- Re: [Full-disclosure] OpenID/Debian PRNG/DNS Cache poisoning advisory
  - From: Dave Korn
- Re: [Full-disclosure] OpenID/Debian PRNG/DNS Cache poisoning advisory
  - From: Eric Rescorla
- Re: [Full-disclosure] OpenID/Debian PRNG/DNS Cache poisoning advisory
  - From: Ben Laurie
- Re: [Full-disclosure] [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory
  - From: Dick Hardt

Prev by Date: Re: [Full-disclosure] OpenID/Debian PRNG/DNS Cache poisoning advisory
Next by Date: Re: [Full-disclosure] OpenID/Debian PRNG/DNS Cache poisoning advisory
Previous by thread: Re: [Full-disclosure] [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory
Next by thread: Re: [Full-disclosure] [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory
Index(es):
- Date
- Thread

Relevant Pages

Re: pki - CRL questions
... Making early mistakes with PKI ... If you are securing web sites or e-mail that is accessed from the internet, ... probably will want to use OCSP instead ... Can the CRL publishing list be changed for all CAs (external HTTP address ...
(microsoft.public.security)
Re: freeradius: wer benutzt die crl?
... dass du Zertifikate dieser PKI revozierst? ... automatisch die alte crl gelöscht und eine neue erstellt. ... Wenn der Admin mal 3 Monate kein Zertifikat revoziert, ... musst du das erneuern der CRL auf andere Art sicherstellen. ...
(de.comp.os.unix.networking.misc)
Re: A little off-topic: Looking for ideas re. CRL Checking and Tomcat
... I've been reading through the JSSE docs. ... > these docs mentioning CRLs and CRL checking. ... > of software that involves PKI. ... for maintaining a Certificate Revocation List (CRL for those who don't ...
(comp.lang.java.programmer)
Re: freeradius: wer benutzt die crl?
... CRL Caching beisst dich da. ... Informationen einer CRL fuer die Lebensdauer der CRL cachen. ... Wenn das Zertifikat ausschliesslich fuer IEEE802.11i verwendet werden ... Wenn es ausschliesslich eine PKI nur fuer WLAN/RADIUS ist, ...
(de.comp.os.unix.networking.misc)