1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
Hi, |
5 |
|
6 |
the recently publicized SSL weak key generation for debian-based systems |
7 |
(c.f. http://www.debian.org/security/key-rollover/) |
8 |
has lead our university computing center to retract our |
9 |
Gentoo-generated SSL keys based on an advisory from the German |
10 |
DFN cert :-( |
11 |
|
12 |
I have not found any information about whether this might also |
13 |
affect Gentoo systems. A test with the Perl script from |
14 |
http://security.debian.org/project/extra/dowkd/dowkd.pl.gz |
15 |
does not show vulnerability: |
16 |
~ summary: keys found: 2, weak keys: 0 |
17 |
|
18 |
So I guess that Gentoo-generated keys are not affected. |
19 |
Still it would be nice to have an official statement |
20 |
to prevent official certification bodies from retracting |
21 |
valid Gentoo-generated keys. |
22 |
|
23 |
Regards, |
24 |
Peter |
25 |
- -- |
26 |
Peter Schneider-Kamp mailto:psk@××××××××××××××××××××××.de |
27 |
LuFG Informatik II http://verify.rwth-aachen.de/psk |
28 |
RWTH Aachen phone: +49 241 80-21211 |
29 |
-----BEGIN PGP SIGNATURE----- |
30 |
Version: GnuPG v1.4.8 (Darwin) |
31 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org |
32 |
|
33 |
iEYEARECAAYFAkguoJQACgkQ3VbrCXkKHhxQigCfSoeTKHLeq2nprKI5BuBgPJhg |
34 |
KtgAniEai4bE7HnTDKNsA/pnspdVZMFU |
35 |
=xywx |
36 |
-----END PGP SIGNATURE----- |
37 |
-- |
38 |
gentoo-security@l.g.o mailing list |