| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
Hi, |
| 5 |
|
| 6 |
the recently publicized SSL weak key generation for debian-based systems |
| 7 |
(c.f. http://www.debian.org/security/key-rollover/) |
| 8 |
has lead our university computing center to retract our |
| 9 |
Gentoo-generated SSL keys based on an advisory from the German |
| 10 |
DFN cert :-( |
| 11 |
|
| 12 |
I have not found any information about whether this might also |
| 13 |
affect Gentoo systems. A test with the Perl script from |
| 14 |
http://security.debian.org/project/extra/dowkd/dowkd.pl.gz |
| 15 |
does not show vulnerability: |
| 16 |
~ summary: keys found: 2, weak keys: 0 |
| 17 |
|
| 18 |
So I guess that Gentoo-generated keys are not affected. |
| 19 |
Still it would be nice to have an official statement |
| 20 |
to prevent official certification bodies from retracting |
| 21 |
valid Gentoo-generated keys. |
| 22 |
|
| 23 |
Regards, |
| 24 |
Peter |
| 25 |
- -- |
| 26 |
Peter Schneider-Kamp mailto:psk@××××××××××××××××××××××.de |
| 27 |
LuFG Informatik II http://verify.rwth-aachen.de/psk |
| 28 |
RWTH Aachen phone: +49 241 80-21211 |
| 29 |
-----BEGIN PGP SIGNATURE----- |
| 30 |
Version: GnuPG v1.4.8 (Darwin) |
| 31 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org |
| 32 |
|
| 33 |
iEYEARECAAYFAkguoJQACgkQ3VbrCXkKHhxQigCfSoeTKHLeq2nprKI5BuBgPJhg |
| 34 |
KtgAniEai4bE7HnTDKNsA/pnspdVZMFU |
| 35 |
=xywx |
| 36 |
-----END PGP SIGNATURE----- |
| 37 |
-- |
| 38 |
gentoo-security@l.g.o mailing list |
Archives