Date: Wed, 25 Nov 2015 09:51:17 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security <oss-security@...ts.openwall.com> Subject: Re: Announcing https://github.com/RedHatProductSecurity/Certificates-Shipped/ No, more of a "we'd like to avoid a superfish" and then I realized we had some legitimate certs/keys for sure (e.g. firefox/bind) and.... maybe other stuff? who knows. As an industry we have very poor visibility/inventory of what we ship/how we ship it/etc. Witness all the SSL/TLS config issues where many vendors can't really answer in any sane time frame how badly they are affected. On Wed, Nov 25, 2015 at 8:54 AM, Reed Loden <reed@...dloden.com> wrote: > Great idea, Kurt. > > Is this related to this recent CERT/CC advisory? > > http://www.kb.cert.org/vuls/id/566724 > http://blog.sec-consult.com/2015/11/house-of-keys-industry-wide-https.html > > On Tuesday, November 24, 2015, Kurt Seifried <kseifried@...hat.com> wrote: > > > https://github.com/RedHatProductSecurity/Certificates-Shipped/ > > > > The idea is to create a comprehensive list of shipped certs/keys/etc by > > open source vendors/distributions/projects so that: > > > > 1) we have a list of secrets maintained by external parties that we rely > > upon > > 2) we can audit them and make sure we should be trusting them > > 3) also spot changes more easily (since the existing corpus is available) > > > -- -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert@...hat.com
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ