From: David Groep Date: Fri, 23 May 2008 22:00:00 +0100 Subject: Impact of the Debian OpenSSL vulnerabiluty on the IGTF Trust Fabric Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the EUGridPMA: 1. Impact of the Debian OpenSSL vulnerablity on the IGTF ========================================================================= 1. Impact of the Debian OpenSSL vulnerablity on the IGTF ========================================================================= A serious Debian (and derivatives, including Ubuntu) OpenSSL vulnerability (CVE-2008-0166) was announced on May 13th, related to a predictable random number generator in Debian's OpenSSL package: http://www.debian.org/security/2008/dsa-1571 This can also affect public key certificates used within the IGTF and the Grid in general, if certificate requests have been generated on a vulnerable system. It can impact both the CA itself (if its own key pair was generated on such a system, as well as all subscribers (users, hosts and services). The IGTF Accredited Authorities, with support from security officers from several grid sites and our Relying Party members, have investigated the impact of CVE-2008-0166 on the entire IGTF trust fabric. - one CA certificate was based on weak material. This certificate was immediately replaced and an updated IGTF Distribution (1.21) was released on May 16th. More details are in the May 16th newsletter at https://www.eugridpma.org/newsletter/eugridpma-newsletter-20080516.txt If you have not yet installed the 1.21 release, please do so as soon as reasonably possible. If you have the old UK e-Science root certificate installed in your browser, you should update this one as well. - all Accredited CAs have reviewed the currently valid certificates for all subscribers since May 13th. Certificates based on weak key material have all been revoked by now. To ensure your trust infrastructure is safe, please make sure you have downloaded the latest CRLs, and keep these up-to-date at least once a day. Utilities for Unix based systems are available on the IGTF web site (https://dist.eugridpma.info/distribution/util/) Modern browsers can automatically download new CRLs periodically. If you have CRLs installed in your browser, make sure these are also up-to-date. At this point in time, there is no reason to disable any specific CAs from the IGTF Trust Anchor distribution in relation to this vulnerability. ========================================================================= STANDARD CLAUSES AND REPEATED NOTICES ========================================================================= Subscribing to the EUGridPMA Newsletter --------------------------------------- This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ Next Release ------------ The next release of the CA RPMs is to be expected in June 2008.