Date: Thu, 08 Jan 2009 14:00:00 +0100 From: David Groep Subject: No threat to IGTF PKI from OpenSSL DSA/ECDSA issue CVE-2008-5077 Dear IGTF relying parties, The OpenSSL Security Team released an advisory [1] on January 7th, regarding incorrect checks for malformed signatures when DSA or ECDSA keys are used. The IGTF Risk Assessment Team (RAT) [2] would like to inform you that NONE of the IGTF-accredited certification authorities use such keys to sign any certificate. This means this vulnerability does not constitute any risk to relying parties when they authenticate a server presenting a certificates issued by an IGTF-accredited CA. None of the CAs accredited by the IGTF issue, or have issued in the past, certificates using signature algorithms other than RSA. On behalf of the IGTF/IGTF RAT Sincerely, Jim Basney David Groep Vinod Rebello Willy Weisz [1] http://www.openssl.org/news/secadv_20090107.txt [2] http://tagpma.es.net/wiki/bin/view/IGTF-RAT