Not really, Ian. Basically, MITM attacks against the sites involved are now trivial, and we already know that MITM attacks are being mounted by unscrupulous operators of unencrypted wireless access points. All the attacker must do at this point is download the certificates from the affected sites, and they can authenticate as those sites without triggering any warning.
This is an issue that affects the entire PKI. If any site uses a weak key and the CA hasn't revoked the cert, then that site can be spoofed without warning. -Kyle H On Thu, Jan 22, 2009 at 3:13 AM, Ian G <i...@iang.org> wrote: > > Although it is good that people rose to the challenge of the debian PRNG > failure, I do not understand the position that all certs had to be revoked. > Isn't it a situation between the Subscribers, Relying Parties and the CA > concerned? That is, notification is as far as you can go? > > As a sort of odd anecdote, one person of some rather excellent crypto and > PKI knowledge over at CAcert insisted that he be allowed to be able to > publish his private key for some arcane crypto experiment. As far as I > know, he didn't get a positive answer on that point ... but it does rather > make one think about the limits of the process. > > iang > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
