[Systems] [Fwd: Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30]
sascha-ml-reply-to-2011-4 at silbe.org
Thu Oct 13 03:15:32 EDT 2011
Excerpts from Bernie Innocenti's message of 2011-10-12 19:30:16 +0200:
> Shall we do something similar?
Definitely not. We might _remind_ users, but we certainly shouldn't
_force_ them. Not the least because at least my key is stored on an
OpenPGP v2 card - it _can't_ be compromised even if you take over my
computer; you'd need physical access to the hardware (unless you also
find an exploitable vulnerability in the smart card - possible, but
unlikely). I also don't understand the rationale - why do they force all
users to recreate the keys on their own computers if some of the
_targets_ have been compromised? If they're worried the attackers might
have taken over the sources via exploitable back channels (e.g. X
forwarding), then recreating the keys won't help.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 665 bytes
Desc: not available
More information about the Systems