[130154] in cryptography@c2.net mail archive
Re: OpenID/Debian PRNG/DNS Cache poisoning advisory
daemon@ATHENA.MIT.EDU (Eric Rescorla)
Fri Aug 8 12:25:36 2008
Date: Fri, 08 Aug 2008 08:06:25 -0700
From: Eric Rescorla <ekr@networkresonance.com>
To: "Ben Laurie" <benl@google.com>
Cc: bugtraq@securityfocus.com,
security@openid.net,
"OpenID List" <general@openid.net>,
cryptography@metzdowd.com,
full-disclosure@lists.grok.org.uk
In-Reply-To: <1b587cab0808080350s30eb231fqf204a5cd5739fa9f@mail.gmail.com>
At Fri, 8 Aug 2008 11:50:59 +0100,
Ben Laurie wrote:
> However, since the CRLs will almost certainly not be checked, this
> means the site will still be vulnerable to attack for the lifetime of
> the certificate (and perhaps beyond, depending on user
> behaviour). Note that shutting down the site DOES NOT prevent the
> attack.
>
> Therefore mitigation falls to other parties.
>
> 1. Browsers must check CRLs by default.
Isn't this a good argument for blacklisting the keys on the client
side?
-Ekr
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
