[Toolserver-l] [SECURITY] Debian OpenSSL bug may affect cryptographic keys generated or used on hemlock

Simetrical Simetrical+wikilist at gmail.com
Wed May 14 13:31:00 UTC 2008


On Wed, May 14, 2008 at 6:08 AM, River Tarnell <river at wikimedia.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Carl F?rstenberg:
>> but surely, can't all the keys people are using for logging in been compromized?
>
> i'm not sure what you're asking here.  as far as i understand the problem,
> using an SSH key to log into an affected server does not compromise the key.
> (if it did, that would be very bad, because the point of asymmetric
> cryptography is that the other end doesn't know your private key.)
>
> the key _is_ affected if you copy the private part of the key to an affected
> server and use it there.

But the keys that some people use to log in may be compromised, if
they were created on a vulnerable OpenSSL version not on the
toolserver.  Given that Brion disabled some people's commit keys, I
take it that it's possible to tell whether a key is compromised just
by examining the public key.  Do you plan to do that, or allow people
with compromised keys to continue to log in?  Or is that a false
dilemma?



More information about the Toolserver-l mailing list