[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] Heartbleed ans HKPS pool
From: |
Christian |
Subject: |
Re: [Sks-devel] Heartbleed ans HKPS pool |
Date: |
Wed, 28 May 2014 08:30:16 +0200 |
User-agent: |
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hey,
and while we are on the subject: If I install my Class 2 (!) OV
Certificate from startssl the hkps button changes red. A valid
certificte is not valid. I can understand that self-signed
certificates will turn the hkps indicator red, but why don't we accept
OV certificates that every client will accept in the first place?
I hardly think that *any* client has the CA of sks installed per
default (nor would an average client care to).
And the validation von sks CA is the save as a Class 1 DV certificate.
tl;dr: We should allow valid signed certificates by default, alongside
of the SKS Ca and only turn the button red on self-signed (or invalids).
- -Christian.
On 27.05.2014 23:21, dirk astrath wrote:
> Hello Kristian
>
>>>> You are quite correct, and I will revoke and issue new
>>>> certificates as I get CSRs signed with the same openpgp keys
>>>> that I originally got requests from.
>>> Please consider to remove vulnerable servers from HKPS pool.
>>> This is not a cosmetic problem like SKS version number but
>>> much serious. Some guys promise secure channel for
>>> communication but this is everything but secure.
>> I'll consider this once we reach the grace-period timeout (i.e.
>> revoking any certs that haven't been updated that seems
>> vulnerable)
>
> Currently i'm waiting for a change (or announcement) from your
> site.
>
> While installing "OCSP Stapling" on one of my servers some weeks
> ago I detected, that there is no entry for an OCSP or CRL-Server in
> the certificates. At the beginning of this month I ran out of time
> and therefore had a talk to Benny Baumann, who made some
> investigations and sent you an email around two weeks ago.
>
> To sum up, why I didn't sent you a new CSR up to now:
>
> If you now revoke a certificate, nobody will know this (since there
> is no source for the revocation).
>
> This means, that a new certficate doesn't make it more secure than
> it is now:
>
> If i install a new certificate based on a new private key, you (and
> I) think, that this one is secure. If there is now a
> "man-in-the-middle"-attack, he may present the old certificate.
> The browser on the client site now thinks, that the correct
> certificate is used because the revocation status cannot be checked
> ... ;-(
>
> Can you please update your CA (or at least inform us about
> possible changes or your investigation in this case?
>
> Thank you.
>
> Have a nice day ...
>
> _______________________________________________ Sks-devel mailing
> list address@hidden
> https://lists.nongnu.org/mailman/listinfo/sks-devel
>
- --
Christian Reiss - address@hidden /"\ ASCII Ribbon
\ / Campaign
GPG Key: http://gpg.christian-reiss.de X against HTML
Jabber : address@hidden / \ in eMails
"It's better to reign in hell than to serve in heaven.",
John Milton, Paradise lost.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQIcBAEBAgAGBQJThYJ3AAoJEETikSarzUPFBMcP/A+zhbitnmn61OQnx5KHtAdF
IdFixxJ0UDXHNylV4gIOXvUvDWsz38NCs8pZo7HuIJYI/ka8NVwuFD791MLP8E4G
ruhe0FjoUc/mKNVfquXS5ayJ5omQrXXaETu2LEOBfGvsRjQcfVrGsoH2ACwaW2Mn
LoWORYzrsc61Phfjz0Qyaru3HSqyvv+8xD9ZmnTSZU/yjOLK7v7R7wsXnJREP5tE
IVBtdumTt06n/DMNxdEqTC4DghoqbScG9hqkA/iYhzlTMOvRgYgdOb3HvspmAgkb
EywTh5592n7KOPxq7fp7hwLA9Na5Q//AIdWJSrA7wK4+/6R/VOSAYBK5ljsL3/bx
XKwPqvAwYRoMOTYHJH9jzAEjzv3I+0iESs7uqVNQbJvqqYkolYyJd0xC2JrWTWi3
x+VyRKU2epw+7MbOw4HqV36x9Aj6jl0HjXw/OVJ9fF/HWxjeYp87RRTpeGagjh/5
WoikNEZkx4MwlcbFPBXrHhUYPnJ23TXh/Z4+uHxMQMrP/7oVi/C+QYA+I7fM2wNz
erLMkJ2FX3Ie/RQ701ctuOMIkyoiDcn8X7XxfT2Q2AhX3dzZ55KmjZQw5YOeVr08
0ZySkuskKGu2NRDwW5VE5Rd6olqoB/1diLYJ4QTciGtgxOuVcHhR7BzBsT/rGCbN
bY8j58XJOe7dH8Iw4GuO
=Lfv2
-----END PGP SIGNATURE-----
---
This email is free from viruses and malware because avast! Antivirus protection
is active.
http://www.avast.com
- Re: [Sks-devel] Heartbleed ans HKPS pool, Gabor Kiss, 2014/05/24
- Re: [Sks-devel] Heartbleed ans HKPS pool, Kristian Fiskerstrand, 2014/05/24
- Re: [Sks-devel] Heartbleed ans HKPS pool, Dmitry Yu Okunev (pks.mephi.ru), 2014/05/27
- Re: [Sks-devel] Heartbleed ans HKPS pool, Daniel Kahn Gillmor, 2014/05/27
- Re: [Sks-devel] Heartbleed ans HKPS pool, Kristian Fiskerstrand, 2014/05/27
- Re: [Sks-devel] Heartbleed ans HKPS pool, Rolf Wuerdemann, 2014/05/27
- Re: [Sks-devel] Heartbleed ans HKPS pool, Andrew Alderwick, 2014/05/27
- Re: [Sks-devel] Heartbleed ans HKPS pool, Kristian Fiskerstrand, 2014/05/28
- Re: [Sks-devel] Heartbleed ans HKPS pool, Gabor Kiss, 2014/05/28
Re: [Sks-devel] Heartbleed ans HKPS pool, dirk astrath, 2014/05/27
- Re: [Sks-devel] Heartbleed ans HKPS pool,
Christian <=
- Re: [Sks-devel] Heartbleed ans HKPS pool, Kristian Fiskerstrand, 2014/05/28
- Re: [Sks-devel] Heartbleed ans HKPS pool, Christian Reiß, 2014/05/28
- Re: [Sks-devel] Heartbleed ans HKPS pool, dirk astrath, 2014/05/28
- Re: [Sks-devel] Heartbleed ans HKPS pool, Kristian Fiskerstrand, 2014/05/28
- Re: [Sks-devel] Heartbleed ans HKPS pool, dirk astrath, 2014/05/28