No, I haven't. And you are right it is highly unlikely. Knowing that someone was going to want to get a key signed, putting the bogus info where they would find it, tricking someone into calling you and giving them a bogus key, etc. is all very difficult. I think we are going to have to give up the notion of 100% security and accept the very small chance (orders of magnitude smaller than now) of someone being fooled if we ever want to get this stuff deployed.
ongoing man in the middle attacks aren't impossible, the FBI's carnivore system is all over the place and in theory could not only sniff but inject... Then again there are other methods at the disposal of governments...
Since most cpu's out there in the world spend 80% of their time idle doing nothing anyway I don't think it would be quite this bad. :)
What about asterisk servers that are already under load, this would multiply the effect, yes most servers would idle most of the time, but if you have periods of peak activity this would compound any existing problems you get from this...
Ah. I haven't given too much thought about how it interacts with phone systems yet. I'll ponder this one.
I believe there is an RFC on PGP use in browsers, I don't know of anyone actually implementing it however...
Very cool. I am reading up on this stuff.
We wanted a method of dynamic routing so we didn't have an ever growing list of extensions and IAX/SIP items not to mention getting away from single points of failure that if a service is down you're out of luck, it seemed like enum.164 is the only solution to this problem. We wanted to do things in such away we could be relatively certain the person we were calling was who we were expecting and not a telemarketer etc etc that had hijacked a heap of numbers... As far as I'm aware no other enum system (even ITU's) currently implements anything that comes close to what we were after...
Indeed. It was just an example of the mail vendors successfully forcing something on everyong.
The thing is it didn't stop normal text posts, so yes it tacked added functionality on top without denying the existing system, you're suggestion doesn't take that into account...
That is fine. The mail administrator can read everything they type into
the server anyhow. He can bug their keyboard if he wants.
Not if you encrypt email at the mail client... He can't bug a remote keyboard... Some of the PKI hardware devices are implemented in a keyboard and when access the certificate the keyboard direct key strokes directly to the hardware reader rather then via the PC...
I doubt they would because it would make spamming much more expensive. Some might but it makes it much less likely and kills their profits which removes the incentive.
What cost? It's trivial to generate both PGP and self signed PKI keys using openssl toolkit, spammers could easily pay someone to grab a new domain/email/certificate daily, $10 in wages? If they get $1000 in profit from $10 in expenses they'd do it...
-- Best regards, Duane
http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers _______________________________________________ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
