Mailing List Archive

On Wed, 09 Apr 2014 18:39:41 +0200
Jo <saos@riseup.net> wrote:

> I'm a bit concerned about the signing keys of the portage tree
> releases, I know that gpg is not the same as openssl but keeping in
> mind that SSH, VPN, HTTPS keys might be compromised for two years,
> don't you think it's a healthy measure to generate a new pair of keys?

It seems highly unlikely that GPG keys got compromised. This could only
have happened if either private GPG keys were transmitted via an
OpenSSL encrypted connection, or if the information leak created a
secondary attack vector.

SSL certifcates and credentials transmitted via SSL on affected servers
should be renewed, but other than that, there's not that much to worry
about as some people think.


Regards,
Luis Ressel

On 04/09/14 12:01, Luis Ressel wrote:
> On Wed, 09 Apr 2014 18:39:41 +0200
> Jo <saos@riseup.net> wrote:
>
>> I'm a bit concerned about the signing keys of the portage tree
>> releases, I know that gpg is not the same as openssl but keeping in
>> mind that SSH, VPN, HTTPS keys might be compromised for two years,
>> don't you think it's a healthy measure to generate a new pair of keys?
>
> SSL certifcates and credentials transmitted via SSL on affected servers
> should be renewed, but other than that, there's not that much to worry
> about as some people think.

It's worth a trip to http://blog.erratasec.com/2014/04/why-heartbleed-doesnt-leak-private-key.html

It's not impossible that ssl keys could be compromised, but in most cases it shouldn't happen.

Chris

Hi Chris & List,

f.y.i.: the post you linked got retracted by the author because as he
states missread the code interpreted it in a wrong way.

Best regards,
Matthias Niethammer



2014-04-09 21:21 GMT+02:00 Chris Frederick <cdf123@cdf123.net>:

> On 04/09/14 12:01, Luis Ressel wrote:
>
>> On Wed, 09 Apr 2014 18:39:41 +0200
>> Jo <saos@riseup.net> wrote:
>>
>> I'm a bit concerned about the signing keys of the portage tree
>>> releases, I know that gpg is not the same as openssl but keeping in
>>> mind that SSH, VPN, HTTPS keys might be compromised for two years,
>>> don't you think it's a healthy measure to generate a new pair of keys?
>>>
>>
>> SSL certifcates and credentials transmitted via SSL on affected servers
>> should be renewed, but other than that, there's not that much to worry
>> about as some people think.
>>
>
> It's worth a trip to http://blog.erratasec.com/
> 2014/04/why-heartbleed-doesnt-leak-private-key.html
>
> It's not impossible that ssl keys could be compromised, but in most cases
> it shouldn't happen.
>
> Chris
>
>

On 09.04.2014 18:39, Jo wrote:
> Hi all, this is my first post in this list, so again Hi all!
>
> I'm a bit concerned about the signing keys of the portage tree releases,
> I know that gpg is not the same as openssl but keeping in mind that SSH,
> VPN, HTTPS keys might be compromised for two years, don't you think it's
> a healthy measure to generate a new pair of keys?

GPG private keys are kept and used nowhere near any server processes,
not transferred via HTTPS or any VPNs, and SSH is not affected. I don't
see an immediate need to rotate them.

--
Alex Legler <a3li@gentoo.org>
Gentoo Security/Ruby/Infrastructure

On Mon, Apr 14, 2014 at 5:54 PM, Alex Legler <a3li@gentoo.org> wrote:
> On 09.04.2014 18:39, Jo wrote:
>> Hi all, this is my first post in this list, so again Hi all!
>>
>> I'm a bit concerned about the signing keys of the portage tree releases,
>> I know that gpg is not the same as openssl but keeping in mind that SSH,
>> VPN, HTTPS keys might be compromised for two years, don't you think it's
>> a healthy measure to generate a new pair of keys?
>
> GPG private keys are kept and used nowhere near any server processes,
> not transferred via HTTPS or any VPNs, and SSH is not affected. I don't
> see an immediate need to rotate them.

Agree. Also, in a few months whenever the new GPG policy GLEP is
implemented I suspect that many keys will be regenerated anyway.

Rich