[124243] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: blacklisting the bad ssh keys?

daemon@ATHENA.MIT.EDU (Eric Rescorla)
Thu May 22 14:44:51 2008

Date: Thu, 22 May 2008 09:54:20 -0700
From: Eric Rescorla <ekr@networkresonance.com>
To: "Steven M. Bellovin" <smb@cs.columbia.edu>
Cc: cryptography@metzdowd.com
In-Reply-To: <20080514195258.0c1ae32a@cs.columbia.edu>

At Wed, 14 May 2008 19:52:58 -0400,
Steven M. Bellovin wrote:
> 
> Given the published list of bad ssh keys due to the Debian mistake (see
> http://metasploit.com/users/hdm/tools/debian-openssl/), should sshd be
> updated to contain a blacklist of those keys?  I suspect that a Bloom
> filter would be quite compact and efficient.

I've been having a similar thought. This also probably applies to SSL
keys, given the rather lack attitude that most clients have about
checking CRLS.

-Ekr

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

home help back first fref pref prev next nref lref last post