Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 25 Nov 2015 09:51:17 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security <oss-security@...ts.openwall.com>
Subject: Re: Announcing https://github.com/RedHatProductSecurity/Certificates-Shipped/

No, more of a "we'd like to avoid a superfish" and then I realized we had
some legitimate certs/keys for sure (e.g. firefox/bind) and.... maybe other
stuff? who knows. As an industry we have very poor visibility/inventory of
what we ship/how we ship it/etc. Witness all the SSL/TLS config issues
where many vendors can't really answer in any sane time frame how badly
they are affected.


On Wed, Nov 25, 2015 at 8:54 AM, Reed Loden <reed@...dloden.com> wrote:

> Great idea, Kurt.
>
> Is this related to this recent CERT/CC advisory?
>
> http://www.kb.cert.org/vuls/id/566724
> http://blog.sec-consult.com/2015/11/house-of-keys-industry-wide-https.html
>
> On Tuesday, November 24, 2015, Kurt Seifried <kseifried@...hat.com> wrote:
>
> > https://github.com/RedHatProductSecurity/Certificates-Shipped/
> >
> > The idea is to create a comprehensive list of shipped certs/keys/etc by
> > open source vendors/distributions/projects so that:
> >
> > 1) we have a list of secrets maintained by external parties that we rely
> > upon
> > 2) we can audit them and make sure we should be trusting them
> > 3) also spot changes more easily (since the existing corpus is available)
> >
>



-- 

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@...hat.com

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ