Re: Request change in son-of-rfc2633
pgut001@cs.auckland.ac.nz (Peter Gutmann) Tue, 04 November 2003 10:36 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id FAA07763 for <smime-archive@lists.ietf.org>; Tue, 4 Nov 2003 05:36:02 -0500 (EST)
Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.10/8.12.8) with ESMTP id hA4A8KkT045901 for <ietf-smime-bks@above.proper.com>; Tue, 4 Nov 2003 02:08:20 -0800 (PST) (envelope-from owner-ietf-smime@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.10/8.12.9/Submit) id hA4A8KKx045900 for ietf-smime-bks; Tue, 4 Nov 2003 02:08:20 -0800 (PST)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f
Received: from hermes.cs.auckland.ac.nz (hermes.cs.auckland.ac.nz [130.216.33.151]) by above.proper.com (8.12.10/8.12.8) with ESMTP id hA4A8GkT045889; Tue, 4 Nov 2003 02:08:17 -0800 (PST) (envelope-from pgut001@cs.auckland.ac.nz)
Received: from cs.auckland.ac.nz (medusa01.cs.auckland.ac.nz [130.216.34.33]) by hermes.cs.auckland.ac.nz (8.12.9-20030924/8.12.9) with ESMTP id hA4A8Go9028250; Tue, 4 Nov 2003 23:08:16 +1300
Received: (from pgut001@localhost) by cs.auckland.ac.nz (8.11.6/8.11.6) id hA4ABfi05617; Tue, 4 Nov 2003 23:11:41 +1300
Date: Tue, 04 Nov 2003 23:11:41 +1300
Message-Id: <200311041011.hA4ABfi05617@cs.auckland.ac.nz>
From: pgut001@cs.auckland.ac.nz
To: ietf-pkix@imc.org, ietf-smime@imc.org
Subject: Re: Request change in son-of-rfc2633
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>
I wrote: >Mozilla (and no doubt some others that didn't get any publicity) did the same >thing, and I'm sure they didn't get asked to do that by customers. Actually that's not right, I thought Mozilla (or at least some apps that used the Mozilla/Gecko/NSS/whatever code base) were vulnerable because Konqueror was vulnerable, but it turns out that this was Konqueror with khtml rather than with kmozilla, with OpenSSL supplying the crypto. Apologies for the mixup. Before this gets read as "OpenSSL is vulnerable", that isn't the case either. OpenSSL provides application-defined callbacks that can be used to override some checks (used to handle, as one source aptly described it, "the mass of broken certs out there"). Some apps provide callbacks that ignore all errors, which apparently is what happened here. Standard OpenSSL doesn't have this problem. Peter.
- Request change in son-of-rfc2633 Jim Schaad
- Re: Request change in son-of-rfc2633 Russ Housley
- Re: Request change in son-of-rfc2633 Peter Gutmann
- RE: Request change in son-of-rfc2633 Blake Ramsdell
- RE: Request change in son-of-rfc2633 Peter Gutmann
- RE: Request change in son-of-rfc2633 Blake Ramsdell
- RE: Request change in son-of-rfc2633 Peter Gutmann
- RE: Request change in son-of-rfc2633 Blake Ramsdell
- RE: Request change in son-of-rfc2633 Russ Housley
- RE: Request change in son-of-rfc2633 Blake Ramsdell
- RE: Request change in son-of-rfc2633 Russ Housley
- RE: Request change in son-of-rfc2633 Peter Gutmann
- RE: Request change in son-of-rfc2633 Peter Gutmann
- RE: Request change in son-of-rfc2633 Peter Gutmann
- RE: Request change in son-of-rfc2633 Russ Housley
- RE: Request change in son-of-rfc2633 Peter Gutmann
- Re: Request change in son-of-rfc2633 Steve Hanna
- RE: Request change in son-of-rfc2633 Santosh Chokhani
- Re: Request change in son-of-rfc2633 Peter Gutmann
- Re: Request change in son-of-rfc2633 Peter Gutmann