I agree with Oscar.
I guess this also again highlights the fact that training is important.
> Personally I would like to advise sites to blacklist users individually
> when such an exposure happens.
Just some clarification about this.
When a proxy is being exposed, it should be reported to the OSCT (either via GGUS or via [log in to unmask]). The OSCT would
then send an EGEE Broadcast to all sites with appropriate instructions, including (when appropriate) the amount of time the DN needs to be
suspended for.
If it is suspected that the proxy has been used by an attacker, incident reporting channels would need to be used.
Regards,
Romain.
Oscar Koeroo wrote:
> Hi David,
>
> It is not needed here to go that far.
> You've send to us (the world) the following:
>
> - Your public certificate, in it your public key
> - Your private key of the proxy
> - Your public proxy certificate part, matching the private key of the
> proxy.
>
> You've not send the private key of the certificate. If you would have
> done that somebody would have contacted your CA and revoked it already. ;-)
>
> The proxy was certainly usable and valid for 12 hours (until Mar 28
> 22:13:46 2007 GMT). It could have been mis-used during that time period.
> Now it is not valid and you can't re-use it to generate new proxies out
> of that one. This is one argument why we have have this system. The harm
> is limited to that time frame.
>
> Your personal certificate has not been comprised. You can still use that
> certificate safely to generate new proxy certificates. You should be
> very careful about the private key. Check the file permissions that only
> you should be able to access it. Like passwords you shouldn't give that
> out also because other people can do things and the blame will be on the
> owner of the password or private key.
>
>
> Personally I would like to advise sites to blacklist users individually
> when such an exposure happens. It's like losing your credit card, you
> don't want it to happen, but when it happens you want to block mis-use.
> this would benefit you the user and the sites that would possibly need
> to check the system. (Yes, I realize it hard to keep up with these day
> by day issues).
>
>
> Now the threat is over (your proxy is invalid now) and all blocks can be
> lifted for you to continue your work.
>
>
>
> cheers,
>
> Oscar
>
>
>
> David Garcia Aristegui wrote:
>> I'm asking for a brand new cert, sorry for the inconveniences.
>>
>> Leif Nixon wrote:
>>
>>> David Garcia Aristegui <[log in to unmask]> writes:
>>>
>>>
>>>
>>>> [david@villon examples]$ more /tmp/x509up_u22
>>>> -----BEGIN CERTIFICATE-----
>>>> MIIEdzCCA+CgAwIBAgICBQwwDQYJKoZIhvcNAQEEBQAwUjELMAkGA1UEBhMCRVMx
>>>>
>>>
>>> I know grid security and public key cryptography is hard, so please
>>> don't be offended, but it is an exceptionally bad idea to publish the
>>> contents of your proxy on a public mailing list - it is approximately
>>> equivalent to publishing your personal password.
>>>
>>> (Apparently this proxy was non-functional, but we were about to
>>> suspend your access to all Swedish sites to avoid unauthorized
>>> access using your ide.)
>>>
>>>
>>>
--
Romain Wartel [log in to unmask]
EGEE Operational Security Coordination Team
C.E.R.N. http://www.cern.ch/LCG
Information Technology Division http://www.eu-egee.org/
Bat.28-R-1-012 http://cern.ch/security
CH-1211 Geneva 23, Switzerland
|