From spamtesterspamtester at gmail.com  Wed Oct  1 13:52:50 2008
From: spamtesterspamtester at gmail.com (spamtester spamtester)
Date: Thu, 2 Oct 2008 03:52:50 +1000
Subject: [OTR-dev] .... dev response to question...
Message-ID: <a67862810810011052j2ba819bdud89dcdae72a0f1fe@mail.gmail.com>

I have asked the question below on the users otr list. However, if the otr
keys of debian users / ubuntu users are at risk i thought i would / should /
will now forward this question on to the dev list so that if they are
vulnerable a tool can be maded to identify weak keys.


RE DEBIAN FALL OUT OF LIBSSL - Is it the case that otr uses openssl .... - i
see that i have a dsa key as my private key. So, then shouldn't it be so
that a tool to id the weak keys and blacklist them be published ?
This is long over due if this is the case.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20081002/f4832acc/attachment.html>

From fnord at pentabarf.de  Wed Oct  1 14:51:14 2008
From: fnord at pentabarf.de (Kjell Braden)
Date: Wed, 01 Oct 2008 20:51:14 +0200
Subject: [OTR-dev] .... dev response to question...
In-Reply-To: <a67862810810011052j2ba819bdud89dcdae72a0f1fe@mail.gmail.com>
References: <a67862810810011052j2ba819bdud89dcdae72a0f1fe@mail.gmail.com>
Message-ID: <48E3C6A2.4000104@pentabarf.de>

spamtester spamtester wrote:
> RE DEBIAN FALL OUT OF LIBSSL - Is it the case that otr uses openssl .... - i
> see that i have a dsa key as my private key. So, then shouldn't it be so
> that a tool to id the weak keys and blacklist them be published ?
> This is long over due if this is the case.

AFAIK, libotr uses libgcrypt for it's cryptographic functions and is
therefore not vulnerable.

Kjell

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20081001/60e79a0f/attachment.pgp>

From ian at cypherpunks.ca  Thu Oct  2 11:11:40 2008
From: ian at cypherpunks.ca (Ian Goldberg)
Date: Thu, 2 Oct 2008 11:11:40 -0400
Subject: [OTR-dev] .... dev response to question...
In-Reply-To: <48E3C6A2.4000104@pentabarf.de>
References: <a67862810810011052j2ba819bdud89dcdae72a0f1fe@mail.gmail.com>
	<48E3C6A2.4000104@pentabarf.de>
Message-ID: <20081002151140.GF9872@thunk.cs.uwaterloo.ca>

On Wed, Oct 01, 2008 at 08:51:14PM +0200, Kjell Braden wrote:
> spamtester spamtester wrote:
> > RE DEBIAN FALL OUT OF LIBSSL - Is it the case that otr uses openssl .... - i
> > see that i have a dsa key as my private key. So, then shouldn't it be so
> > that a tool to id the weak keys and blacklist them be published ?
> > This is long over due if this is the case.
> 
> AFAIK, libotr uses libgcrypt for it's cryptographic functions and is
> therefore not vulnerable.

That is correct.

   - Ian