On Sun, Aug 24, 2008 at 09:39:15AM -0600, Stephen John Smoogen wrote: > 2008/8/24 Axel Thimm <Axel.Thimm@xxxxxxxxxx>: > >> On Sat, Aug 23, 2008 at 04:37:13PM -0500, Jeffrey Ollie wrote: > >> > The primary reason is that it's nearly impossible to tell if the key > >> > was generated on a Debian system with the compromised OpenSSL > >> > versions. > > > > OK, I checked and it is far from impossible. After all the bug was > > that there are only 32k possible keys per arch/size/type - Debian has > > even issued blacklists for all keys of typical und some untypical > > sizes like 1024/2048/1023/2047/4096/8192 and for some sizes they even > > packaged it up, see > > > > http://packages.debian.org/unstable/main/openssh-blacklist > > http://packages.debian.org/unstable/main/openssh-blacklist-extra > > > > If there is paranoia floating around, then why not use that blacklist > > in Fedora/RHEL as well instead of nuking all DSA keys and still > > allowing the bad RSA keys? > > All RSA keys were nuked too. Please read up the complete thread (and maybe the subject line as well :) - with nuking of ssh keys I'm not referring to the internally used ssh keys, which were all replaced, but the nuking of all user DSA keys for using in FAS/cvs. s/nuked/banned/g for a better phrasing - sorry, me no naitif ingisch spieka. -- Axel.Thimm at ATrpms.net
Attachment:
pgp5CiW5TdeXS.pgp
Description: PGP signature
_______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
