> On Sat, Aug 23, 2008 at 04:37:13PM -0500, Jeffrey Ollie wrote: > > The primary reason is that it's nearly impossible to tell if the key > > was generated on a Debian system with the compromised OpenSSL > > versions. OK, I checked and it is far from impossible. After all the bug was that there are only 32k possible keys per arch/size/type - Debian has even issued blacklists for all keys of typical und some untypical sizes like 1024/2048/1023/2047/4096/8192 and for some sizes they even packaged it up, see http://packages.debian.org/unstable/main/openssh-blacklist http://packages.debian.org/unstable/main/openssh-blacklist-extra If there is paranoia floating around, then why not use that blacklist in Fedora/RHEL as well instead of nuking all DSA keys and still allowing the bad RSA keys? And if your are really paranoic then one can package up these blacklists for general use by Fedora/RHEL's openssh. I don't know if openssh has a blacklist-reject ability already coded in, though. -- Axel.Thimm at ATrpms.net
Attachment:
pgpUkDfq1zbkW.pgp
Description: PGP signature
_______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
