Maciej Szuba a écrit : > Hello! > What should I have do? I use Debian for subca, rootca is working on > Fedora. I generated 400 cert on subca and distributed to clients. > Last week I saw message about openssl vulnerability in Debian: > "Luciano Bello discovered that the random number generator in Debian's > openssl package is predictable. This is caused by an incorrect > Debian-specific change to the openssl package (CVE-2008-0166). As a > result, cryptographic key material may be guessable." I check certs > are Affected. So in this way I must revoked all client 's certs and > subca cert in rootca. But i have a questions what about crl, where > client find crl if I revoced (and genetated new) subca cert. I would > like ask developers about way to find solution?? > here is a hint of answer Normally the things SHOULD work that way the user's certs are recognized becuse they are issued by the trusted CA subca subca is trusted because of certificate issued by rootCA so revoking the subca certificate and issue the corresponding CRL from rhe unvulnerable root CA should be sufficient Now you must be sure that the both check of user and subca are always effective
I hope this help Dominique > Macie > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Openca-Users mailing list > Openca-Users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openca-users > > > -- Dr Dominique LOHEZ ISEN 41, Bd Vauban F59046 LILLE France Phone : +33 (0)3 20 30 40 71 Email: [EMAIL PROTECTED] ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
