David E. Ross wrote: > See <http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0166>. Discussion of > this at the Risks Forum 25.15 indicates that "All SSL and SSH keys > generated on Debian-based systems (Ubuntu, Kubuntu, etc) between > September 2006 and May 13th, 2008 may be affected." See "Debian > OpenSSL Predictable PRNG Toys" and "Debian OpenSSL Vulnerability" at > <http://catless.ncl.ac.uk/Risks/25.15.html>. > > The recommendation is that all affected root certificates be revoked and > replaced. The question is whether any of the root certificates > installed in the past two years or are approved or under review are > affected.
I presume that by "affected root certificates" you mean "root certificates with key pairs generated using OpenSSL on Debian-based systems", correct? The only CA I can think of that would possibly be in this situation is CAcert, and of course it's not even applying for inclusion at this point. Maybe I'm naive, but I can't imagine any commercial CAs are using OpenSSL for CA functions -- but in any case we can certainly ask CAs about this. Could you please file a bug on this against mozilla.org / CA certificates and assign it to me? Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto