On 10 Apr 2014, at 10:38, John Breen <jbr...@isc.upenn.edu> wrote: > So a quick clarification here... > > Are we saying that a cosign service credential can not be leaked via > heartbleed to a 3rd party even if the cosign client service is > vulnerable? That the cosign client service credential could only be > obtained by using the cosignd server as an attack vector? > > Why is the cosign client credential different than say an SSL > certificate as far as it potentially being in memory that might be leaked?
It's not at all! Since the server is (hopefully) running HTTPS, that would be the vector. mod_cosign would be a vector as well, but only really exposed to the connected cosignd. To clarify: rekeying would be wise. :wes ------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees _______________________________________________ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss
