On Wed, May 14, 2008 at 6:08 AM, River Tarnell <[EMAIL PROTECTED]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Carl F?rstenberg: >> but surely, can't all the keys people are using for logging in been >> compromized? > > i'm not sure what you're asking here. as far as i understand the problem, > using an SSH key to log into an affected server does not compromise the key. > (if it did, that would be very bad, because the point of asymmetric > cryptography is that the other end doesn't know your private key.) > > the key _is_ affected if you copy the private part of the key to an affected > server and use it there.
But the keys that some people use to log in may be compromised, if they were created on a vulnerable OpenSSL version not on the toolserver. Given that Brion disabled some people's commit keys, I take it that it's possible to tell whether a key is compromised just by examining the public key. Do you plan to do that, or allow people with compromised keys to continue to log in? Or is that a false dilemma? _______________________________________________ Toolserver-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/toolserver-l
