Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30
Bernd Stramm
bernd.stramm at gmail.com
Wed Oct 12 23:20:54 UTC 2011
On Wed, 12 Oct 2011 16:40:07 -0400
seth vidal <skvidal at fedoraproject.org> wrote:
> On Wed, 2011-10-12 at 22:34 +0200, Tomas Mraz wrote:
> > Unnecessary work is kind of punishment.
> >
> > BTW what prevents the people who do not care about their SSH
> > private key security to upload their new SSH key to a compromised
> > system immediately after their generate it again?
>
> Nothing prevents them from doing it. But this action, here, today, is
> trying to stave off risk from PAST compromises of others systems. It
> is not trying to stave off FUTURE compromises.
>
> It's like changing your house locks if you lose your keys. Nothing
> keeps you from losing your keys again - but you're completely certain
> that the old keys are useless now.
I for one am fairly certain that the folks who left their private keys
on public systems will do that again, fairly quickly. I am also fairly
certain that they are not following this debate.
--
Bernd Stramm
bernd.stramm at gmail.com
More information about the devel
mailing list