On Tue, 2008-08-19 at 10:40 -0500, Jon Ciesla wrote: > > Hi. > > > > On Tue, 19 Aug 2008 11:32:14 -0400, Simo Sorce wrote: > > > >> DSA keys can be compromised if the server you connect to is > >> compromised. See discussions about the recent openssl debacle for > >> debian. > > > > Which kind of invalidates the whole "public key" concept, doesn't it? > > :) Yup. > > > Not wanting to start a new discussion about this, but the fact that > > (some) debian-created keys were weak (and thus crackable) wasn't the > > servers fault, but the fault of the client that generated the key in > > the first place (unless I'm getting something seriously wrong). > > Correct. It was also server keys, but that wouldn't compromise your own > client key, just the security of the server's key. To crack the > encryption, you still need wither the private key or a lot of time and PCU > cycles. The debian issue simply reduced the number of CPU cycles. As far as I know a compromised server key can make it much easier to compromise a client key if this key is DSA. I know no more crypto details, someone that knows them could comment further. Simo. -- Simo Sorce * Red Hat, Inc * New York -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
