On Thu, 15 May 2008, Steinar H. Gunderson wrote: > On Wed, May 14, 2008 at 06:22:37PM -0500, Steve Greenland wrote: > >> Therefore, anyone who had a DSA key has had it compromised... > > Shouldn't that be "anyone who had a DSA key *created by the flawed > > version of openssl* has had it compromised..."? Or are you asserting > > something stronger? > > No. Any key who had a single DSA signature created by the flawed version of > OpenSSL should be considered compromised. DSA requires a secret, random > number as part of the signature process; if someone figures it out, or you > use the same number twice, the entire secret key falls.
If I understand correctly, it means that if you use a good key with a flawed openssl to connect to an other host using that key, then that key can be considered compromised. But what about using a good key on a host with a good openssl, to connect to a server which use a bad openssl ? regards, Nicolas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
