A serious vulnerability in Debian GNU/Linux was announced today regarding SSL keys generated on Debian machines using OpenSSL:
http://lists.debian.org/debian-security-announce/2008/msg00152.html This is just a quick note that the announced vulnerability does not affect certificates generated by the XMPP Intermediate Certification Authority (ICA) running at <https://www.xmpp.net/>. Although all of the machines in the jabber.org/xmpp.org/xmpp.net infrastructure run on Debian, the certificates and certificate signing requests (CSRs) issued by the XMPP ICA are not generated on any of those machines. Instead, if you have obtained a certificate using the XMPP ICA you had a choice of: (1) generating your own CSR; in this case if you did so on a Debian machine then your certificate may be weak... or: (2) having the root CA (StartCom) generate the CSR for you; in this case your CSR was generated by a real hardware random number generator which feeds the entropy pool as opposed to a pseudo random number generator which mimics that behavior in software. If you have any questions about this matter, feel free to contact me directly. This notice is also posted here: https://www.xmpp.net/news/2008/05/13/xmpp-ica-certificates-and-debian-openssl-vulnerability Peter -- Peter Saint-Andre https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Signature