[Systems] [Fwd: Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30]

Sascha Silbe sascha-ml-reply-to-2011-4 at silbe.org
Thu Oct 13 03:15:32 EDT 2011


Excerpts from Bernie Innocenti's message of 2011-10-12 19:30:16 +0200:

> Shall we do something similar?

Definitely not. We might _remind_ users, but we certainly shouldn't
_force_ them. Not the least because at least my key is stored on an
OpenPGP v2 card - it _can't_ be compromised even if you take over my
computer; you'd need physical access to the hardware (unless you also
find an exploitable vulnerability in the smart card - possible, but
unlikely). I also don't understand the rationale - why do they force all
users to recreate the keys on their own computers if some of the
_targets_ have been compromised? If they're worried the attackers might
have taken over the sources via exploitable back channels (e.g. X
forwarding), then recreating the keys won't help.

Sascha

-- 
http://sascha.silbe.org/
http://www.infra-silbe.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 665 bytes
Desc: not available
URL: <http://lists.sugarlabs.org/private/systems/attachments/20111013/32b77239/attachment.pgp>


More information about the Systems mailing list