Re: [Sks-devel] Heartbleed ans HKPS pool

[dirk astrath]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Kristian

>>> You are quite correct, and I will revoke and issue new 
>>> certificates as I get CSRs signed with the same openpgp keys
>>> that I originally got requests from.
>> Please consider to remove vulnerable servers from HKPS pool.
>> This is not a cosmetic problem like SKS version number but much 
>> serious. Some guys promise secure channel for communication but 
>> this is everything but secure.
> I'll consider this once we reach the grace-period timeout (i.e. 
> revoking any certs that haven't been updated that seems
> vulnerable)

Currently i'm waiting for a change (or announcement) from your site.

While installing "OCSP Stapling" on one of my servers some weeks ago I
detected, that there is no entry for an OCSP or CRL-Server in the
certificates. At the beginning of this month I ran out of time and
therefore had a talk to Benny Baumann, who made some investigations
and sent you an email around two weeks ago.

To sum up, why I didn't sent you a new CSR up to now:

If you now revoke a certificate, nobody will know this (since there is
no source for the revocation).

This means, that a new certficate doesn't make it more secure than it
is now:

If i install a new certificate based on a new private key, you (and I)
think, that this one is secure. If there is now a
"man-in-the-middle"-attack, he may present the old certificate. The
browser on the client site now thinks, that the correct certificate is
used because the revocation status cannot be checked ... ;-(

Can you please update your CA (or at least inform us about possible
changes or your investigation in this case?

Thank you.

Have a nice day ...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlOFAcEACgkQVuf/iihAxwgIFACcC5c8gnLMx9wriyVUyc98P2uH
xmkAoJXuyuovrLDrwXyDtNAfQq1rJRcW
=gvYu
-----END PGP SIGNATURE-----