RE: [Nolug] SSL bug

From: John Souvestre <johns_at_sstar.com>
Date: Wed, 9 Apr 2014 14:11:38 -0500
Message-ID: <016501cf5427$894baed0$9be30c70$@sstar.com>

So no current public CA that claims to be following the security
standards, could have a CA certificate compromised, unless they were quite
negligent.

 

I believe you are incorrect about this.

 

https://www.schneier.com/blog/archives/2014/04/heartbleed.html

 

 

John

    John Souvestre - New Orleans LA

 

From: owner-nolug@stoney.kellynet.org [mailto:owner-nolug@stoney.kellynet.org]
On Behalf Of Jimmy Hess
Sent: Wed, April 09, 2014 8:37 am
To: nolug@nolug.org
Subject: Re: [Nolug] SSL bug

 

On Wed, Apr 9, 2014 at 8:00 AM, Joey Kelly <joey@joeykelly.net> wrote:

On 04/09/2014 04:27 AM, Ron Johnson wrote:
> Do CA certificates need to be recreated?

 

It is impossible without having violated basic Crypto 101 key hygene rules.

So no current public CA that claims to be following the security standards,
could have a CA certificate compromised, unless they were quite negligent.

 

Should never issue certificates that have a Policy definition/Extended key
usage allowing the certificate to be used for both Key agreement/Data
encipherment AND for Certificate signing (or CRL Signing).

 

CA signing keys should never be loaded onto a webserver.

Always sign a separate certificate that has a different key from the
certificate signing key.

 

 

 

 

 

 

If you created them with a vulnerable OpenSSL version, then yes. I've
got one to redo myself.

--
Joey Kelly
Minister of the Gospel and Linux Consultant
http://joeykelly.net
504-239-6550
___________________
Nolug mailing list
nolug@nolug.org
 
-- 
-Mysid 

___________________
Nolug mailing list
nolug@nolug.org

Received on 04/09/14

This archive was generated by hypermail 2.2.0 : 04/09/14 EDT