Re: [Sks-devel] Heartbleed ans HKPS pool

[Christian]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey,

and while we are on the subject: If I install my Class 2 (!) OV
Certificate from startssl the hkps button changes red. A valid
certificte is not valid. I can understand that self-signed
certificates will turn the hkps indicator red, but why don't we accept
OV certificates that every client will accept in the first place?

I hardly think that *any* client has the CA of sks installed per
default (nor would an average client care to).

And the validation von sks CA is the save as a Class 1 DV certificate.


tl;dr: We should allow valid signed certificates by default, alongside
of the SKS Ca and only turn the button red on self-signed (or invalids).

- -Christian.

On 27.05.2014 23:21, dirk astrath wrote:
> Hello Kristian
> 
>>>> You are quite correct, and I will revoke and issue new 
>>>> certificates as I get CSRs signed with the same openpgp keys 
>>>> that I originally got requests from.
>>> Please consider to remove vulnerable servers from HKPS pool. 
>>> This is not a cosmetic problem like SKS version number but
>>> much serious. Some guys promise secure channel for
>>> communication but this is everything but secure.
>> I'll consider this once we reach the grace-period timeout (i.e. 
>> revoking any certs that haven't been updated that seems 
>> vulnerable)
> 
> Currently i'm waiting for a change (or announcement) from your
> site.
> 
> While installing "OCSP Stapling" on one of my servers some weeks
> ago I detected, that there is no entry for an OCSP or CRL-Server in
> the certificates. At the beginning of this month I ran out of time
> and therefore had a talk to Benny Baumann, who made some
> investigations and sent you an email around two weeks ago.
> 
> To sum up, why I didn't sent you a new CSR up to now:
> 
> If you now revoke a certificate, nobody will know this (since there
> is no source for the revocation).
> 
> This means, that a new certficate doesn't make it more secure than
> it is now:
> 
> If i install a new certificate based on a new private key, you (and
> I) think, that this one is secure. If there is now a 
> "man-in-the-middle"-attack, he may present the old certificate.
> The browser on the client site now thinks, that the correct
> certificate is used because the revocation status cannot be checked
> ... ;-(
> 
> Can you please update your CA (or at least inform us about
> possible changes or your investigation in this case?
> 
> Thank you.
> 
> Have a nice day ...
> 
> _______________________________________________ Sks-devel mailing
> list address@hidden 
> https://lists.nongnu.org/mailman/listinfo/sks-devel
> 

- -- 

 Christian Reiss - address@hidden       /"\  ASCII Ribbon
                                                  \ /    Campaign
 GPG Key: http://gpg.christian-reiss.de            X   against HTML
 Jabber : address@hidden                    / \   in eMails

 "It's better to reign in hell than to serve in heaven.",
                                        John Milton, Paradise lost.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQIcBAEBAgAGBQJThYJ3AAoJEETikSarzUPFBMcP/A+zhbitnmn61OQnx5KHtAdF
IdFixxJ0UDXHNylV4gIOXvUvDWsz38NCs8pZo7HuIJYI/ka8NVwuFD791MLP8E4G
ruhe0FjoUc/mKNVfquXS5ayJ5omQrXXaETu2LEOBfGvsRjQcfVrGsoH2ACwaW2Mn
LoWORYzrsc61Phfjz0Qyaru3HSqyvv+8xD9ZmnTSZU/yjOLK7v7R7wsXnJREP5tE
IVBtdumTt06n/DMNxdEqTC4DghoqbScG9hqkA/iYhzlTMOvRgYgdOb3HvspmAgkb
EywTh5592n7KOPxq7fp7hwLA9Na5Q//AIdWJSrA7wK4+/6R/VOSAYBK5ljsL3/bx
XKwPqvAwYRoMOTYHJH9jzAEjzv3I+0iESs7uqVNQbJvqqYkolYyJd0xC2JrWTWi3
x+VyRKU2epw+7MbOw4HqV36x9Aj6jl0HjXw/OVJ9fF/HWxjeYp87RRTpeGagjh/5
WoikNEZkx4MwlcbFPBXrHhUYPnJ23TXh/Z4+uHxMQMrP/7oVi/C+QYA+I7fM2wNz
erLMkJ2FX3Ie/RQ701ctuOMIkyoiDcn8X7XxfT2Q2AhX3dzZ55KmjZQw5YOeVr08
0ZySkuskKGu2NRDwW5VE5Rd6olqoB/1diLYJ4QTciGtgxOuVcHhR7BzBsT/rGCbN
bY8j58XJOe7dH8Iw4GuO
=Lfv2
-----END PGP SIGNATURE-----

---
This email is free from viruses and malware because avast! Antivirus protection 
is active.
http://www.avast.com