[jdev] XMPP ICA certificates and Debian OpenSSL vulnerability

Peter Saint-Andre stpeter at stpeter.im
Tue May 13 09:33:47 CDT 2008


A serious vulnerability in Debian GNU/Linux was announced today
regarding SSL keys generated on Debian machines using OpenSSL:

http://lists.debian.org/debian-security-announce/2008/msg00152.html

This is just a quick note that the announced vulnerability does not
affect certificates generated by the XMPP Intermediate Certification
Authority (ICA) running at <https://www.xmpp.net/>.

Although all of the machines in the jabber.org/xmpp.org/xmpp.net
infrastructure run on Debian, the certificates and certificate signing
requests (CSRs) issued by the XMPP ICA are not generated on any of those
machines. Instead, if you have obtained a certificate using the XMPP ICA
you had a choice of:

(1) generating your own CSR; in this case if you did so on a Debian
machine then your certificate may be weak...

or:

(2) having the root CA (StartCom) generate the CSR for you; in this case
your CSR was generated by a real hardware random number generator which
feeds the entropy pool as opposed to a pseudo random number generator
which mimics that behavior in software.

If you have any questions about this matter, feel free to contact me
directly.

This notice is also posted here:

https://www.xmpp.net/news/2008/05/13/xmpp-ica-certificates-and-debian-openssl-vulnerability

Peter

-- 
Peter Saint-Andre
https://stpeter.im/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20080513/3cfd84fa/attachment-0002.bin>


More information about the JDev mailing list