[CentOS] Re: [CentOS-announce] Impact of the Debian OpenSSL vulnerability

Sat May 17 10:25:25 UTC 2008
Ralph Angenendt <ra+centos at br-online.de>

Karanbir Singh wrote:
> Dag pointed out that Suse is also considering setting up a blacklist of
> this nature. I dont mind looking at something like this within CentOS if
> someone wants to make a case for it. Would it be better to just have
> some tool ( Daniel already brought that up! ) that could audit setups
> instead of running such a blacklist ?

The problem is that the tools I know only look for broken ssh keys
(dowkd.pl, ssh-vulnkey) and none of them address other problematic areas
like certificates, dnssec-keys (although Lutz Donnerhacke mailed all
people running zones with broken keys) and so on. 

If you take a look at <http://debian.wideopenssl.org/> there are so many
applications which might have broken keys even on non-Debian systems
that I think offering a tool for just ssh keys might give people a wrong
sense of security, if they don't find broken ssh keys on their machines.

Ralph
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos/attachments/20080517/fb07e02c/attachment-0005.sig>