Re: [Sks-devel] Heartbleed ans HKPS pool
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hey, and while we are on the subject: If I install my Class 2 (!) OV Certificate from startssl the hkps button changes red. A valid certificte is not valid. I can understand that self-signed certificates will turn the hkps indicator red, but why don't we accept OV certificates that every client will accept in the first place? I hardly think that *any* client has the CA of sks installed per default (nor would an average client care to). And the validation von sks CA is the save as a Class 1 DV certificate. tl;dr: We should allow valid signed certificates by default, alongside of the SKS Ca and only turn the button red on self-signed (or invalids). - -Christian. On 27.05.2014 23:21, dirk astrath wrote: Hello Kristian You are quite correct, and I will revoke and issue new certificates as I get CSRs signed with the same openpgp keys that I originally got requests from. Please consider to remove vulnerable servers from HKPS pool. This is not a cosmetic problem like SKS version number but much serious. Some guys promise secure channel for communication but this is everything but secure. I'll consider this once we reach the grace-period timeout (i.e. revoking any certs that haven't been updated that seems vulnerable) Currently i'm waiting for a change (or announcement) from your site. While installing OCSP Stapling on one of my servers some weeks ago I detected, that there is no entry for an OCSP or CRL-Server in the certificates. At the beginning of this month I ran out of time and therefore had a talk to Benny Baumann, who made some investigations and sent you an email around two weeks ago. To sum up, why I didn't sent you a new CSR up to now: If you now revoke a certificate, nobody will know this (since there is no source for the revocation). This means, that a new certficate doesn't make it more secure than it is now: If i install a new certificate based on a new private key, you (and I) think, that this one is secure. If there is now a man-in-the-middle-attack, he may present the old certificate. The browser on the client site now thinks, that the correct certificate is used because the revocation status cannot be checked ... ;-( Can you please update your CA (or at least inform us about possible changes or your investigation in this case? Thank you. Have a nice day ... ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel - -- Christian Reiss - em...@christian-reiss.de /\ ASCII Ribbon \ /Campaign GPG Key: http://gpg.christian-reiss.deX against HTML Jabber : ch...@alpha-labs.net/ \ in eMails It's better to reign in hell than to serve in heaven., John Milton, Paradise lost. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) iQIcBAEBAgAGBQJThYJ3AAoJEETikSarzUPFBMcP/A+zhbitnmn61OQnx5KHtAdF IdFixxJ0UDXHNylV4gIOXvUvDWsz38NCs8pZo7HuIJYI/ka8NVwuFD791MLP8E4G ruhe0FjoUc/mKNVfquXS5ayJ5omQrXXaETu2LEOBfGvsRjQcfVrGsoH2ACwaW2Mn LoWORYzrsc61Phfjz0Qyaru3HSqyvv+8xD9ZmnTSZU/yjOLK7v7R7wsXnJREP5tE IVBtdumTt06n/DMNxdEqTC4DghoqbScG9hqkA/iYhzlTMOvRgYgdOb3HvspmAgkb EywTh5592n7KOPxq7fp7hwLA9Na5Q//AIdWJSrA7wK4+/6R/VOSAYBK5ljsL3/bx XKwPqvAwYRoMOTYHJH9jzAEjzv3I+0iESs7uqVNQbJvqqYkolYyJd0xC2JrWTWi3 x+VyRKU2epw+7MbOw4HqV36x9Aj6jl0HjXw/OVJ9fF/HWxjeYp87RRTpeGagjh/5 WoikNEZkx4MwlcbFPBXrHhUYPnJ23TXh/Z4+uHxMQMrP/7oVi/C+QYA+I7fM2wNz erLMkJ2FX3Ie/RQ701ctuOMIkyoiDcn8X7XxfT2Q2AhX3dzZ55KmjZQw5YOeVr08 0ZySkuskKGu2NRDwW5VE5Rd6olqoB/1diLYJ4QTciGtgxOuVcHhR7BzBsT/rGCbN bY8j58XJOe7dH8Iw4GuO =Lfv2 -END PGP SIGNATURE- --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Heartbleed ans HKPS pool
Could you please explain the color-codes (on the page?). Red/green is obvious, but I don't know where this orange color for hkps sites comes from (SNI?) Indeed, or the meta page for the server in question. By the way. Kristian! May I suggest you to use title=explanation attributes within td tags? At least in non green status cells. It would produce nice bubble help as one moves the pointer over the table. Regards Gabor -- E-mail = m-mail * c-mail ^ 2 ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Heartbleed ans HKPS pool
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 05/28/2014 08:30 AM, Christian wrote: Hey, and while we are on the subject: If I install my Class 2 (!) OV Certificate from startssl the hkps button changes red. A valid certificte is not valid. I can understand that self-signed certificates will turn the hkps indicator red, but why don't we accept OV certificates that every client will accept in the first place? They will not be able to issue a certificate related to hkps.pool.sks-keyservers.net as CN or subjectAltName, i.e. the validation on a pool would fail. I hardly think that *any* client has the CA of sks installed per default (nor would an average client care to). it is part of gnupg 2.1 [0] And the validation von sks CA is the save as a Class 1 DV certificate. tl;dr: We should allow valid signed certificates by default, alongside of the SKS Ca and only turn the button red on self-signed (or invalids). Users are free to choose any server they want. References [0] http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=dirmngr/sks-keyservers.netCA.pem;h=24a2ad2e8e39498b4842bd31689f230148d08693;hb=refs/heads/master - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Ubi mel ibi apes Where there's honey, there are bees -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJThbY4AAoJEPw7F94F4TagFSQP/0HdW23IqAslOgiDUQEFICAu Okprf1lKxZSvozaF+KujKWMFzwHhuaq0QfALX7gm5CYVI23HO8W5i+cP+UNZWiTr Ey1z1tR8gUXImXS0mjGE3RBo8E6Y1aLUXYBYhXD8dJaHtMHSAIbw+MMS/LljRUPW FQIQb2yHq0tWWG7bcrMjA6TGEe41GtgEJQo9saJI0mR11OgmlEx4WFbPU7zwkWr+ 6ZaAj6hiqX3Bn22jSxXs+zC6DCwdcpKFdJJWfG9zimNiHFBquihfnTukmUYCQ2UI wPARBDq+yIvAwhvWBmbmq/QtiqAGzbsEi8fGojTkpC2jq3yMI4iOI9qeE5O66WVt TshtCLmZt9v05DKXiMXbWmE8TpDLOKpc1tXSHzxcu/TB1DY48CZMJkIdGzCRyMWy b9F0tAAKuWqybtsJ3Nehzkh6gdgfo1Qo6g9Qcki153qeuyMUMJyHq9nNg9Xwu9uF 0OvLdF2joUmGkuE1orDmq95PzT7PKBXis2eyVyaSqqu6ctNgbbF0+Eg3pgO8pofQ 8kL/zYEcOT4lRkDF0K32WUak1rWse7vhUOg7UTgSLD43N+RIFOwUzPfdJ7Jqe2rV /TwT50wyy5QTFNHSzPNRjPRXcwG6ROc3QjUjS2nWfW+h/G8s0/6oGV5oxLBeiKF0 LhNlkTnLpN8LOowc/bwP =Qy7y -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Heartbleed ans HKPS pool
On 28/05/14 12:11, Kristian Fiskerstrand wrote: They will not be able to issue a certificate related to hkps.pool.sks-keyservers.net as CN or subjectAltName, i.e. the validation on a pool would fail. It was too early in the morning, even pre-coffee. I honestly didn't see that coming and retract my statement :) -Christian. -- Christian Reiss - em...@christian-reiss.de /\ ASCII Ribbon \ /Campaign GPG Key: http://gpg.christian-reiss.deX against HTML Jabber : ch...@alpha-labs.net/ \ in eMails It's better to reign in hell than to serve in heaven., John Milton, Paradise lost. signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Heartbleed ans HKPS pool
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 05/27/2014 11:41 PM, Andrew Alderwick wrote: Dear Rolf, On Tue, May 27, 2014 at 10:18:31PM +0200, Rolf Wuerdemann wrote: Am 27.05.2014 17:41, schrieb Kristian Fiskerstrand: On 05/27/2014 05:00 PM, Daniel Kahn Gillmor wrote: To check the inclusion of your server in the hkps pool, look at the HKPS column of: https://sks-keyservers.net/status/ Could you please explain the color-codes (on the page?). Red/green is obvious, but I don't know where this orange color for hkps sites comes from (SNI?) Orange under the hkps column means that the server is vulnerable to CVE-2014-3207, which has been patched in SKS 1.1.5 [1,2]. The vulnerability isn't limited to hkps, but Kristian will at some point make 1.1.5 a requirement for being part of the hkps pool [3]. So the orange is left undocumented as it's intended as a temporary warning to admins (such as me!) who are yet to update their servers. To clarify, I updated the statement a bit on [0,1] so that servers on older versions with backported security patch or behind a mitigating reverse proxy configuration will still be included, this is handled by the pool software and why some HKPS are flagged green despite being 1.1.5 References: [0] http://lists.nongnu.org/archive/html/sks-devel/2014-05/msg00056.html [1] http://lists.nongnu.org/archive/html/sks-devel/2014-05/msg00057.html - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Great things are not accomplished by those who yield to trends and fads and popular opinion. (Jack Kerouac) -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJThblJAAoJEPw7F94F4TagQqMQAJPH4vqP8feK6G+KRgXgO2hX 74Y1cgGokt9tSHmnqBHPzCPE2fjCvEotCVGm3UxZWfUPc6S2Z+kFAjmBrrFLYRqE bdG5vREw1i9Rhk20qxFbK2+NZQZHmmt1vEovH6F/t4DDvdQaC8y9H7vr6Ig/r79b D8zYd++12++s6Fva8eamJbSM6XrPt2kpzb3HiMQ4SLahTzaIclV46ia7QVl5RBlY ZpgYjZZtQsAlIf1pC03+TVDAJtM8UWm/SxwT5fQ6cX9HFOUdpJqysm02Z0NL3TGS 6GqwrRJnRnfrwSXagkSGuJCAnr1RJFtd5ijudP5g/Mmavtiq21hpaFRQKpaJXE3A PMqe0jO3gKYOoXnNagYlsaU2Y+m0UqrUdgF4hiB6DwbXewvO0epnv99TMrxSw3Bw upwFiCkcGR11YtJvbkQ9bWaSpKucMo9g8Fo8zKLt9pqbJ7MeqX2Sm8wGISx/x+Ot dCDxI4xEPhrcBGO1PXozJS3CCtmaOUaxBZLiuwk0BTQoGDnLg8WDUPow9KQ66XNf u4XbosTDfRjE+0jAAm0HG2g8yrRaF9jYb7qk8rQIr2SHj/xrmgzC6mbqe1TCgnl4 51JeOPAHgIEnRA7YDINhfIGs0C+9xSNGm4dJuuNOwF6Iar16WsrtIIBAk7gZOcOi cgCyqJhTfZBjx0JmVHec =IoSI -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Heartbleed ans HKPS pool
Hello Kristian, I hardly think that *any* client has the CA of sks installed per default (nor would an average client care to). it is part of gnupg 2.1 [0] hm ... even if gnugpg 2.1 will check the CRL (i assume, you don't (plan to) run an OCSP-server) ... when i access the keyserver-pool using my browser to have an encrypted channel to search/upload/... keys, the revocation-status of a certificate should be checked. currently (without the CRL) the expiration date is the only way my browser knows, that the certficate is no longer valid. ... and ... yes ... gnug 2.1 is not every client ... ;-) have a nice day ... ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Heartbleed ans HKPS pool
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 05/28/2014 01:05 PM, dirk astrath wrote: Hello Kristian, I hardly think that *any* client has the CA of sks installed per default (nor would an average client care to). it is part of gnupg 2.1 [0] hm ... even if gnugpg 2.1 will check the CRL (i assume, you don't (plan to) run an OCSP-server) ... when i access the keyserver-pool using my browser to have an encrypted channel to search/upload/... keys, the revocation-status of a certificate should be checked. currently (without the CRL) the expiration date is the only way my browser knows, that the certficate is no longer valid. ... and ... yes ... gnug 2.1 is not every client ... ;-) have a nice day ... The CRL is published on [0] as stated on [1]. You are correct that for a few of the later certs no CRL has been published along the cert (mea cupla - I made in my config file). However if you see e.g [2] the CRL distribution point is back in the certs. References: [0] https://sks-keyservers.net/ca/crl.pem [1] https://sks-keyservers.net/overview-of-pools.php [2] https://keys.digitalis.org/ - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Testis unus, testis nullus A single witness is no witness -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJThdIOAAoJEPw7F94F4TagCu4P/1BXlwftSFlH+IHi0F3oCPTP Ez+mmNZXViJXP7y9SVZAze1NfMy8XqbDSaLblDDLu+GeJ0ejYXBstRAMFb2imPER 7wVM3Ql9l6G1GDC6mmIGEFvzbyH5jo4gGivDgPySWgmstNo8uoGAOcCNHq5i4LjR F+i4t4z1Sa+fa0HZ5tqFtdRo+vVreoSP4xgsK7jIho9uGgb+XBm9ndJC91IlC4YC p3YVyNG+Co1BQGRnmybh9OBV/gcoScL/13XZB/RhF58DPfN9KJXp0+u1YDZGOHvH tyKD2xBsQcDnw7ME/JYrEjR3GHv15w9BRHUy3045I8BonYHQNX8lpOo17j6QzpZi eaMF8B1GEgyn+NBfGLaeEIU+kDiCDDhKoZep0y3kJn7XSzsfThrAjq0ygH02b3WM lrF1HKSvAhzA+l21rnbuQUwjM+EHQa28ytfxdCoZ0wqs+SHyO111fGVH9+X1WTu6 VyOQZLA8H9bqQm6jlJdxcX16Jo/tyMZJ61d/TRoII7bqK0mE5tvUiD4Wvn9qR5pt 0U+2csTC5/Vly0FF6iN6a3IgtyM8/+9XiS9PWVAvt8b6SGgE6jUyTbtJcR4oi+Mv d3R5xUkIfx6dgeYB2Se0NRZI1lJeoCq4QXzmF1L+o1NDriFsIFReMqmZPuuQKknP I8Bt3mY9SzD7tRWOC0nE =U8KQ -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Heartbleed ans HKPS pool
Hello Kristian, The CRL is published on [0] as stated on [1]. You are correct that for a few of the later certs no CRL has been published along the cert (mea cupla - I made in my config file). However if you see e.g [2] the CRL distribution point is back in the certs. References: [0] https://sks-keyservers.net/ca/crl.pem [1] https://sks-keyservers.net/overview-of-pools.php [2] https://keys.digitalis.org/ ah ... perfect ... thank you for bringing light to this issue. you will get new CSRs for my servers within the next days ... ;-) have a nice day ... ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Heartbleed ans HKPS pool
Hello. On 05/25/2014 12:00 AM, Kristian Fiskerstrand wrote: On 05/24/2014 08:32 AM, Gabor Kiss wrote: On Wed, 9 Apr 2014, kristian.fiskerstr...@sumptuouscapital.com wrote: You are quite correct, and I will revoke and issue new certificates as I get CSRs signed with the same openpgp keys that I originally got requests from. Dear Kristian, Please consider to remove vulnerable servers from HKPS pool. This is not a cosmetic problem like SKS version number but much serious. Some guys promise secure channel for communication but this is everything but secure. I'll consider this once we reach the grace-period timeout (i.e. revoking any certs that haven't been updated that seems vulnerable) BTW, is it right that our server is not in the HKPS pool hkps.pool.sks-keyservers.net. Server: keyserver.ut.mephi.ru (85.143.112.59) $ host hkps.pool.sks-keyservers.net hkps.pool.sks-keyservers.net has address 162.243.102.241 hkps.pool.sks-keyservers.net has address 176.9.51.79 hkps.pool.sks-keyservers.net has address 192.71.151.126 hkps.pool.sks-keyservers.net has address 192.146.137.11 hkps.pool.sks-keyservers.net has address 212.12.48.27 hkps.pool.sks-keyservers.net has address 216.66.15.2 hkps.pool.sks-keyservers.net has address 46.4.212.178 hkps.pool.sks-keyservers.net has address 46.229.47.140 hkps.pool.sks-keyservers.net has address 85.10.205.199 hkps.pool.sks-keyservers.net has address 89.68.150.88 hkps.pool.sks-keyservers.net has IPv6 address 2001:6f8:124e::1 hkps.pool.sks-keyservers.net has IPv6 address 2a01:4f8:a0:4024::2:0 hkps.pool.sks-keyservers.net has IPv6 address 2a01:4f8:131:149::f2 hkps.pool.sks-keyservers.net has IPv6 address 2a01:4f8:150:7142::2 hkps.pool.sks-keyservers.net has IPv6 address 2001:470:1:116::6 hkps.pool.sks-keyservers.net has IPv6 address 2001:470:1f09:325::94 hkps.pool.sks-keyservers.net has IPv6 address 2001:67c:26b4::2c6b -- Best regards, Dmitry, head of UNIX-tech department NRNU MEPhI, tel. 8 (495) 788-56-99, add. 8255 signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Heartbleed ans HKPS pool
On 05/27/2014 09:27 AM, Dmitry Yu Okunev (pks.mephi.ru) wrote: BTW, is it right that our server is not in the HKPS pool hkps.pool.sks-keyservers.net. Server: keyserver.ut.mephi.ru (85.143.112.59) $ host hkps.pool.sks-keyservers.net hkps.pool.sks-keyservers.net has address 162.243.102.241 hkps.pool.sks-keyservers.net has address 176.9.51.79 hkps.pool.sks-keyservers.net has address 192.71.151.126 hkps.pool.sks-keyservers.net has address 192.146.137.11 hkps.pool.sks-keyservers.net has address 212.12.48.27 hkps.pool.sks-keyservers.net has address 216.66.15.2 hkps.pool.sks-keyservers.net has address 46.4.212.178 hkps.pool.sks-keyservers.net has address 46.229.47.140 hkps.pool.sks-keyservers.net has address 85.10.205.199 hkps.pool.sks-keyservers.net has address 89.68.150.88 hkps.pool.sks-keyservers.net has IPv6 address 2001:6f8:124e::1 hkps.pool.sks-keyservers.net has IPv6 address 2a01:4f8:a0:4024::2:0 hkps.pool.sks-keyservers.net has IPv6 address 2a01:4f8:131:149::f2 hkps.pool.sks-keyservers.net has IPv6 address 2a01:4f8:150:7142::2 hkps.pool.sks-keyservers.net has IPv6 address 2001:470:1:116::6 hkps.pool.sks-keyservers.net has IPv6 address 2001:470:1f09:325::94 hkps.pool.sks-keyservers.net has IPv6 address 2001:67c:26b4::2c6b the host command just looks things up in the DNS. the DNS round-robin arrangement only publishes a limited number of records of any given time (10, maybe?) -- if there are more, they will be served randomly on future requests. To check the inclusion of your server in the hkps pool, look at the HKPS column of: https://sks-keyservers.net/status/ --dkg signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Heartbleed ans HKPS pool
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 05/27/2014 05:00 PM, Daniel Kahn Gillmor wrote: On 05/27/2014 09:27 AM, Dmitry Yu Okunev (pks.mephi.ru) wrote: BTW, is it right that our server is not in the HKPS pool hkps.pool.sks-keyservers.net. .. the host command just looks things up in the DNS. the DNS round-robin arrangement only publishes a limited number of records of any given time (10, maybe?) -- if there are more, they will be served randomly on future requests. Correct, but it is even more complicated than that. The authoritative DNS server refreshes based on a random 10 servers every 15 minutes. Which servers are included then depends on any caching in the downstream DNS servers, so it is quite likely different users will see a different selection of the enabled servers. To check the inclusion of your server in the hkps pool, look at the HKPS column of: https://sks-keyservers.net/status/ Indeed, or the meta page for the server in question. - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Fabricando fit faber Practice makes perfect -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJThLJAAAoJEPw7F94F4TagtrYQALCpmGDs2Rt70uvTw3iEyMfC dJXj4E0wR6jugsxRbQdS3H7VrdRPIlMzA+wd9gy5b2r05Y5OUuYRkmOAe95xAuqq eZCHeUPn+21Tkzs7ZOQJDNcR+wykU/N3NXH9S3YvH6d9KkKoCB/JacTPS2pPU+IA 7OtJYTKpXNsynSxeJbCz6fFowUeFR6gQ+n67WuQv9XD6C5lSjvz9bq6YcBp8GfML i7u2etaNJEmE7DwyNFvUldbNi88VrV3KWlCdECLud2Eo76pE9QF/Sf1bqS3+Y2is wP9RLPuWU8jCVwlbeq0u6KfEufiYwSvs+/pV0xepwskct86OJTc9w5QYaJScHUuE J9qFOINqst5Su6c+H0CZk4OgkSnZqzH81cjOm8UnR4fc/kl4a32dGgE/Tlyk7aZS cRSuCrk2VaFv+E9Uu4ySeSAPwrZsTGcl6A77tqgG80UqbnSDzHQNo+nRcM8o+A3U 0g/p1fQtI3J/LYyKJnpA/ZzibAhtReMVg4QyGpDv+SqbkQarvhzf1Mp+bCznnEOg aDiIDHDd7WfNY/VGDGfv7c7yZl1416gHlgRFiF7Ey4eXkUkpxoU2H2u7SKhY433l F0DYaY9ZXd+1gTnJ+iqsgI3XjPkIN7JPL3xaEBqAth0uPfPohExRkj1TG72skTOB pxNtrSfFaglMYvooftcn =Dx9y -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Heartbleed ans HKPS pool
Am 27.05.2014 17:41, schrieb Kristian Fiskerstrand: On 05/27/2014 05:00 PM, Daniel Kahn Gillmor wrote: On 05/27/2014 09:27 AM, Dmitry Yu Okunev (pks.mephi.ru) wrote: BTW, is it right that our server is not in the HKPS pool [pools and zone-entries] To check the inclusion of your server in the hkps pool, look at the HKPS column of: https://sks-keyservers.net/status/ Could you please explain the color-codes (on the page?). Red/green is obvious, but I don't know where this orange color for hkps sites comes from (SNI?) Indeed, or the meta page for the server in question. Best, rowue [...] -- Security is an illusion - Datasecurity twice Rolf Würdemann - ro...@digitalis.org GnuPG fingerprint:EEDC BEA9 EFEA 54A9 E1A9 2D54 69CC 9F31 6C64 206A xmpp: ro...@digitalis.org E1189573 6B4A150C A0C2BF5A 5553F865 0B9CBF7A ro...@jabber.ccc.de 64CBBB68 0A3514A4 026FC1E7 5328CE87 AEE2185F signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Heartbleed ans HKPS pool
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Kristian You are quite correct, and I will revoke and issue new certificates as I get CSRs signed with the same openpgp keys that I originally got requests from. Please consider to remove vulnerable servers from HKPS pool. This is not a cosmetic problem like SKS version number but much serious. Some guys promise secure channel for communication but this is everything but secure. I'll consider this once we reach the grace-period timeout (i.e. revoking any certs that haven't been updated that seems vulnerable) Currently i'm waiting for a change (or announcement) from your site. While installing OCSP Stapling on one of my servers some weeks ago I detected, that there is no entry for an OCSP or CRL-Server in the certificates. At the beginning of this month I ran out of time and therefore had a talk to Benny Baumann, who made some investigations and sent you an email around two weeks ago. To sum up, why I didn't sent you a new CSR up to now: If you now revoke a certificate, nobody will know this (since there is no source for the revocation). This means, that a new certficate doesn't make it more secure than it is now: If i install a new certificate based on a new private key, you (and I) think, that this one is secure. If there is now a man-in-the-middle-attack, he may present the old certificate. The browser on the client site now thinks, that the correct certificate is used because the revocation status cannot be checked ... ;-( Can you please update your CA (or at least inform us about possible changes or your investigation in this case? Thank you. Have a nice day ... -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlOFAcEACgkQVuf/iihAxwgIFACcC5c8gnLMx9wriyVUyc98P2uH xmkAoJXuyuovrLDrwXyDtNAfQq1rJRcW =gvYu -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Heartbleed ans HKPS pool
Dear Rolf, On Tue, May 27, 2014 at 10:18:31PM +0200, Rolf Wuerdemann wrote: Am 27.05.2014 17:41, schrieb Kristian Fiskerstrand: On 05/27/2014 05:00 PM, Daniel Kahn Gillmor wrote: To check the inclusion of your server in the hkps pool, look at the HKPS column of: https://sks-keyservers.net/status/ Could you please explain the color-codes (on the page?). Red/green is obvious, but I don't know where this orange color for hkps sites comes from (SNI?) Orange under the hkps column means that the server is vulnerable to CVE-2014-3207, which has been patched in SKS 1.1.5 [1,2]. The vulnerability isn't limited to hkps, but Kristian will at some point make 1.1.5 a requirement for being part of the hkps pool [3]. So the orange is left undocumented as it's intended as a temporary warning to admins (such as me!) who are yet to update their servers. Thanks, Andy [1] http://lists.nongnu.org/archive/html/sks-devel/2014-05/msg0.html [2] http://lists.nongnu.org/archive/html/sks-devel/2014-05/msg00026.html [3] http://lists.nongnu.org/archive/html/sks-devel/2014-05/msg00033.html signature.asc Description: Digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Heartbleed ans HKPS pool
On Wed, 9 Apr 2014, kristian.fiskerstr...@sumptuouscapital.com wrote: You are quite correct, and I will revoke and issue new certificates as I get CSRs signed with the same openpgp keys that I originally got requests from. Dear Kristian, Please consider to remove vulnerable servers from HKPS pool. This is not a cosmetic problem like SKS version number but much serious. Some guys promise secure channel for communication but this is everything but secure. Gabor -- A mug of beer, please. Shaken, not stirred. ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Heartbleed ans HKPS pool
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 05/24/2014 08:32 AM, Gabor Kiss wrote: On Wed, 9 Apr 2014, kristian.fiskerstr...@sumptuouscapital.com wrote: You are quite correct, and I will revoke and issue new certificates as I get CSRs signed with the same openpgp keys that I originally got requests from. Dear Kristian, Please consider to remove vulnerable servers from HKPS pool. This is not a cosmetic problem like SKS version number but much serious. Some guys promise secure channel for communication but this is everything but secure. I'll consider this once we reach the grace-period timeout (i.e. revoking any certs that haven't been updated that seems vulnerable) - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Great things are not accomplished by those who yield to trends and fads and popular opinion. (Jack Kerouac) -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJTgPpWAAoJEPw7F94F4Tagm8oP/R4QoZYNwju0P6/4pFtmeYTs OUIQfzr8lviHZwCzcUDJWIinqdCICTIFfG0GQ/RB3PJ982GzKzs1JtzLMGWUHyaz 5ZxX8QC0ISRwO8T/08KC3X3NzlcrgyS+HfmJUlxXmjWG+N8XZIICEzAX/JkrFyFw 7mfJZ7t13CVxWbXw0VmopLuMhY8LTy1Fgi9KQMn+vhyf6gmBRzvjabXeotiac+XN tbRq3rFXyFJgHuZ8i9OarkzlwjU+pqx24C4/JHJScfNq8XHXFh1EPND8LSAcBmel mIlTE+vlx75NHfFGZZnu8ugJd9d+hwbeWAsCAKR5tYzv2mgSNNeqIB3ZuRyaSPUw xgVECVpV6AAd+yzgBw85pOarXxQuqYNv7qWWg3OvFVl2qer2lrPyVbsk0yFgPpoo F66BB7bqlZdWLECpiI7VafmqHpjFmnmqKfsruq74Jscvis+cdk01fHXsxBU8hFpL gSHBRED7Va7YrgwxcBGr8hAIMZHdQElpBz+kYd0n6LibNHVZdT9e2fWhZCICPAuH RVmXo/CKRXU+mCSuHjANFSCvKWSWUQZnuWZS9RLkm0veNu10pZJKo/9wWcyCkUaQ g5R38JqHL0SOboXq1Jf4M3AbC5R5dQkhCi+RiVN8wo1wk+MqkldX135Yjd1UtJDt J0VHQKCtbNrhexvh/jed =yOpF -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Heartbleed ans HKPS pool
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Folks, Am 09.04.2014 17:38, schrieb Kiss Gabor (Bitman): Folks, Do not forget that all hkps.pool.sks-keyservers.net certificates should be revoked and replaced after fixing openssl Heartbleed Bug on vulnerable key servers. (Including mine.) My keyserver at pgp.benny-baumann was NOT affected, because: - - I don't use OpenSSL, but GnuTLS 3.2 Gabor Regards, BenBE. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCgAGBQJTRjrGAAoJEPHTXLno4S6txLcP/RUxeJaeGJMtPvkpO7n0faWv JF2i2GPWUFXotKO74DCbnYMWzogpM6WZ8NvA85qC03ACpEpEvFbjg2RGlXLasCsb Dbzfqmx7Ci4xj3ywhD4hI1rxUFHhfCjY5/ZWVvaMJlyBXOAz6Bh5fOGYVHNuStUD EzVB3P+eXFpto/kZWAg6rXzVb+qdxK0G2SYpIBDi5BGx4P4yISnWKzvd3IyzbfcE 0a6kX0nZuFjZyxz6MUczo8ricT5wbsvxwFuv0dpd1ePEkQXiyrk7/t5iq1RLJX5w Wc0Of7lsruG6O7bC7/lqH8+xj9igquofNJpujE+frfdK72KClPdZ26mdcZS3GaKG B2Es2Cn28U4Defi4ZoRk9tWJU3jNZA2IW4ato6+DPqU4ljWCZXWUKMPu+MkMd2GO 4YiY391CMT99wf7A3ZNGzccEoAuljhNziZce2D+4HJ5IF721Y/t6v+7ljO/T9P/Q KrEQ4KQnSPAXPq9IgVdVqdF4r4U1J6z/48u3PD8hqsm1DrAGdRfHRoivJWUdvydj MGEkikwMK2ken4Wdlkkwx+HdoszJR4ubEOUBTFi6mBV+836nKJwXm8+dZxj3CizV 6w/W7N2N8hcwhSN/ggeROKnF1iOQU5ojh/VmTmahruHQYwC5gmgez9zfWAp2+sG8 yjE0K38rcjsin0edNQPo =RQkI -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] Heartbleed ans HKPS pool
Folks, Do not forget that all hkps.pool.sks-keyservers.net certificates should be revoked and replaced after fixing openssl Heartbleed Bug on vulnerable key servers. (Including mine.) Gabor ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Heartbleed ans HKPS pool
Hello On 04/09/2014 10:51 PM, kristian.fiskerstr...@sumptuouscapital.com wrote: You are quite correct, and I will revoke and issue new certificates as I get CSRs signed with the same openpgp keys that I originally got requests from. So we should just wait for new certificates. Right? :) -- Best regards, Dmitry, head of UNIX-tech department NRNU MEPhI, tel. 8 (495) 788-56-99, add. 8255 signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Heartbleed ans HKPS pool
You are quite correct, and I will revoke and issue new certificates as I get CSRs signed with the same openpgp keys that I originally got requests from. So we should just wait for new certificates. Right? :) All of us have to generate new secret key key and signing request first. Gabor -- Spider-Pig, Spider-Pig Does whatever a Spider-Pig does. Can he swing from a web? No, he can't, he's a pig. Look out! He is a Spider-Pig. ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
