Archive for the ‘Announcements’ Category

OpenSSL Keys on Debian/Ubuntu Compromised

Posted on May 13th, 2008 in Announcements, Cryptography, Security

Some pretty bad news from the Debian team. Apparently, a change made to the bundled version of OpenSSL has made key generation predictable. The issue is severe enough that the Debian team recommends you consider all affected keys compromised and regenerate them ASAP.

If you have been using any Debian distro (which includes Ubuntu) to generate SSL or SSH key material, check your version of OpenSSL. If you have 0.9.8c-1 or later, then you are affected.

Also keep in mind, any signatures made by compromised keys should be considered untrusted. As such, once you generate your new keys, you should notify anyone who you have acted as a signatory, and resign with your new material.

Read the official announcement from the Debian team here. There is also a Slashdot discussion you can take part in here too.

Superseding PGP Key Pair 338E2A73

Posted on May 5th, 2008 in Announcements, Cryptography

I am now superseding the following DSA/ELG key pair.

pub   1024D/338E2A73 2008-02-13 [expires: 2008-05-13]
      Key fingerprint = 72F8 3AD5 3991 B39B BD83  6090 B92D 78F6 338E 2A73
sub   2048g/55484828 2008-02-13 [expires: 2008-05-13]

If you wish to continue communicating with me securely, please use the following DSA/ELG public key, which you can fetch from publickey.robertsosinski.com or receive from pgp.mit.edu.

pub   1024D/03EE59A3 2008-05-05 [expires: 2011-05-05]
      Key fingerprint = CEFC D32D A0F0 8F02 3EE4  AD55 2B31 0C88 03EE 59A3
sub   4096g/720D8A7D 2008-05-05 [expires: 2011-05-05]

You can then verify this and all subsequent keys with my RSA signature key, which you can fetch from signaturekey.robertsosinski.com or receive from pgp.mit.edu.

pub   4096R/9BAE307E 2008-05-05
      Key fingerprint = A098 B838 28C1 F021 4984  E6B4 7397 56A7 9BAE 307E

From now on, I will supersede my DSA/ELG public key every 3 years, as well as whenever I deem necessary. In order to maintain continuity between any keys I make (for either professional or personal use), I will sign them with my RSA signature key.

I will only sign keys, not message data, with my RSA signature key in order to limit the amount of text associated with it. If you would like me to sign your key with my RSA signature key, please call or email me to setup a face-to-face meeting to do so.