[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] Heartbleed ans HKPS pool
From: |
dirk astrath |
Subject: |
Re: [Sks-devel] Heartbleed ans HKPS pool |
Date: |
Tue, 27 May 2014 21:21:06 +0000 |
User-agent: |
Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.0 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello Kristian
>>> You are quite correct, and I will revoke and issue new
>>> certificates as I get CSRs signed with the same openpgp keys
>>> that I originally got requests from.
>> Please consider to remove vulnerable servers from HKPS pool.
>> This is not a cosmetic problem like SKS version number but much
>> serious. Some guys promise secure channel for communication but
>> this is everything but secure.
> I'll consider this once we reach the grace-period timeout (i.e.
> revoking any certs that haven't been updated that seems
> vulnerable)
Currently i'm waiting for a change (or announcement) from your site.
While installing "OCSP Stapling" on one of my servers some weeks ago I
detected, that there is no entry for an OCSP or CRL-Server in the
certificates. At the beginning of this month I ran out of time and
therefore had a talk to Benny Baumann, who made some investigations
and sent you an email around two weeks ago.
To sum up, why I didn't sent you a new CSR up to now:
If you now revoke a certificate, nobody will know this (since there is
no source for the revocation).
This means, that a new certficate doesn't make it more secure than it
is now:
If i install a new certificate based on a new private key, you (and I)
think, that this one is secure. If there is now a
"man-in-the-middle"-attack, he may present the old certificate. The
browser on the client site now thinks, that the correct certificate is
used because the revocation status cannot be checked ... ;-(
Can you please update your CA (or at least inform us about possible
changes or your investigation in this case?
Thank you.
Have a nice day ...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlOFAcEACgkQVuf/iihAxwgIFACcC5c8gnLMx9wriyVUyc98P2uH
xmkAoJXuyuovrLDrwXyDtNAfQq1rJRcW
=gvYu
-----END PGP SIGNATURE-----
- Re: [Sks-devel] Heartbleed ans HKPS pool, Gabor Kiss, 2014/05/24
- Re: [Sks-devel] Heartbleed ans HKPS pool, Kristian Fiskerstrand, 2014/05/24
- Re: [Sks-devel] Heartbleed ans HKPS pool, Dmitry Yu Okunev (pks.mephi.ru), 2014/05/27
- Re: [Sks-devel] Heartbleed ans HKPS pool, Daniel Kahn Gillmor, 2014/05/27
- Re: [Sks-devel] Heartbleed ans HKPS pool, Kristian Fiskerstrand, 2014/05/27
- Re: [Sks-devel] Heartbleed ans HKPS pool, Rolf Wuerdemann, 2014/05/27
- Re: [Sks-devel] Heartbleed ans HKPS pool, Andrew Alderwick, 2014/05/27
- Re: [Sks-devel] Heartbleed ans HKPS pool, Kristian Fiskerstrand, 2014/05/28
- Re: [Sks-devel] Heartbleed ans HKPS pool, Gabor Kiss, 2014/05/28
Re: [Sks-devel] Heartbleed ans HKPS pool,
dirk astrath <=
- Re: [Sks-devel] Heartbleed ans HKPS pool, Christian, 2014/05/28
- Re: [Sks-devel] Heartbleed ans HKPS pool, Kristian Fiskerstrand, 2014/05/28
- Re: [Sks-devel] Heartbleed ans HKPS pool, Christian Reiß, 2014/05/28
- Re: [Sks-devel] Heartbleed ans HKPS pool, dirk astrath, 2014/05/28
- Re: [Sks-devel] Heartbleed ans HKPS pool, Kristian Fiskerstrand, 2014/05/28
- Re: [Sks-devel] Heartbleed ans HKPS pool, dirk astrath, 2014/05/28