On Thu, May 15, 2008 at 09:31:25PM -0300, Felipe Augusto van de Wiel (faw) wrote: > Speaking about that, are there plans to deploy > openssl-blacklist in Debian as an official package?
I'd be happy to get the Ubuntu blacklists into Debian -- honestly I haven't had time yet (travelling, Ubuntu responsibilities, etc). Given the sizes of the various blacklists, I'd like to perhaps provide multiple packages. The openssh-blacklist was a balance between size and default-generated keys. I'd like to add packages for -rsa1024 and -rsa4096, etc. This could be done for openssl too, I think. There has been some confusion (well, lack of public information) about generating the blacklists. Since this is mostly public now with H D Moore's site[1], the random number streams were affected by three things: 1) process ID 2) sizeof(long) 3) endian-ness Presently, every combination of these for default dsa1024 and rsa2048 went into openssh-blacklist. openssl-blacklist contains one additional case: the existence of the .rnd file, which added another binary state, doubling the size of those blacklists. Then finally we could have a -all that installed all of them if someone wanted it. openvpn also needs blacklists, since it is another unique key generation package. There may be others beyond that. Jamie Strandboge (Cc'd) has been researching the blacklists (and built the ssl and openvpn blacklists in Ubuntu). -Kees [1] http://metasploit.com/users/hdm/tools/debian-openssl/ -- Kees Cook @outflux.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
