- Original Message -
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Tuesday, July 23, 2002 1:59 PM
Subject: Re: building a true RNG (was: Quantum Computing ...)
> You cannot measure entropy retrospectively. You need to have a
> theory as to where the ent
- Original Message -
From: "Lucky Green" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Sunday, July 14, 2002 11:55 AM
Subject: RE: IP: SSL Certificate "Monopoly" Bears Financial Fruit
> > The cert shows that it's issued by Equifax, however.
>
> The cert shows as
- Original Message -
From: "Dierk Bolten" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, June 28, 2002 2:33 AM
Subject: Re: [java-powered-iButton]Newbie to iButton
Hi!
I wrote a PAM module for Linux that authenticates users to the system with a
RSA based challenge-response pr
> Status: U
> From: "Lucky Green" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Subject: Government subsidies: our last, best hope for Cryptanarchy?
> Date: Fri, 24 May 2002 01:44:53 -0700
> Sender: [EMAIL PROTECTED]
>
[...]
> The same Cypherpunk expressed a hope that absent NAI's PGP, the Germ
Further to Lucky's comments: in the last few days I have discussed keysize
issues with a few people on a couple of mailing lists, and I have
encountered a hostility to large keysizes of which, frankly, I don't
understand the reasons. On the client side at least, performance is not an
issue: PGP 7.
- Original Message -
From: "Lucky Green" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, 24 March, 2002 9:38 AM
Subject: 1024-bit RSA keys in danger of compromise
[...]
> In light of the above, I reluctantly revoked all my personal 1024-bit
> PGP keys and the large web-of-trust
Try http://www.ncipher.com/safebuilder/codesafe.html .
Also some of the devices mentioned at http://www.kegel.com/ssl/hw.html might
be useful to you. And if the application is not too large and demanding, a
Java iButton (http://www.ibutton.com/ibuttons/java.html ) could also do the
trick.
Enzo
-
From: "Ben Laurie" <[EMAIL PROTECTED]>
> BTW, I don't see why using a passphrase to a key makes you vulnerable to
> a dictionary attack (like, you really are going to have a dictionary of
> all possible 1024 bit keys crossed with all the possible passphrases?
> Sure!).
At least in OpenPGP, the c
From: "Derek Atkins" <[EMAIL PROTECTED]>
> Actually, this was chosen only to protect signalling, not the
> actual VoIP data. If you read the spec carefully you will notice
> that the RTP stream is NOT using IPsec for data protection.
Yup, right. Thanks also to Joseph Tardo, who pointed out that
- Original Message -
From: "Eric Rescorla" <[EMAIL PROTECTED]>
To: "Eugene Leitl" <[EMAIL PROTECTED]>
Sent: Monday, 28 January, 2002 6:33 AM
[...]
> If you want to see EC used you need to describe a specific algorithm
> which has the following three properties:
>
> (1) widely agreed to be
> > There are other problems with using IPsec for VoIP.. In many cases
> > you are sending a large number of rather small packets of data. In
> > this case, the extra overhead of ESP can potentially double the size
> > of your data.
>
> HOW small? You'd already be adding IP+UDP+RTP headers (20
If everything is tunnelled inside SSH, its ultimate transport is TCP, which
is bad for data types like voice where reliability is less important than
low delay. The right thing to do is to build decent security into the RTP
layer (the standard transport for voice applications, RFC1889): the SRTP
d
> Here you're talking about "reputation of nyms", which doesn't require
> third parties or certs, just well-kept secret keys of a PK pair.
> If the remote entity keeps using the same PK keys, you can reasonably
> update reputation
> based on that alone. (They're essentially signing their behavio
- Original Message -
From: "Eugene Leitl" <[EMAIL PROTECTED]>
To: "Hack Hawk" <[EMAIL PROTECTED]>
Cc: "Hadmut Danisch" <[EMAIL PROTECTED]>; "Digital Bearer Settlement List"
<[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Sunday, 06 January, 2002 7:41 PM
> On Fri, 4 Ja
red it
for addition to HTTP. Maybe something for the Mozilla and Apache teams to
consider pioneering?
Enzo
- Original Message -----
From: "Enzo Michelangeli" <[EMAIL PROTECTED]>
To: "Richard Guy Briggs" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Tues
- Original Message -
From: "Richard Guy Briggs" <[EMAIL PROTECTED]>
To: "Enzo Michelangeli" <[EMAIL PROTECTED]>
Cc: "Richard Guy Briggs" <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Tuesday, December 04, 2001 7:07 PM
Subject: Re: VI
- Original Message -
From: "Richard Guy Briggs" <[EMAIL PROTECTED]>
To: "Enzo Michelangeli" <[EMAIL PROTECTED]>
Cc: "John R. Levine" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Tuesday, December 04, 2001 6:18 PM
Subject: Re: VISA
Actually, the authentication is not performed by Visa, but by the issuer
(the member bank that has issued the card). Visa only manages a directory
server where the merchant's plugin looks up the first six digits of the card
number (a.k.a. the "issuer BIN") and finds the URL of the "Issuer
Authenti
- Original Message -
From: "Bram Cohen" <[EMAIL PROTECTED]>
To: "Nelson Minar" <[EMAIL PROTECTED]>
Cc: "Crypto List" <[EMAIL PROTECTED]>
Sent: Wednesday, October 31, 2001 1:36 AM
Subject: Re: Yet more stego scare in the New York Times
[...]
> hotmail/yahoo/hushmail/etc. accounts - these
On Mon, 29 October 2001, "R. A. Hettinga" wrote:
[...]
> The key-logger, hidden inside a computer, secretly records everything a
> suspect
> types on it. The device lets authorities capture passwords to unscramble data
> files in otherwise-unbreakable codes.
So what happens if the application g
- Original Message -
From: "Bill Stewart" <[EMAIL PROTECTED]>
To: "Conspiracy" <>
Sent: Wednesday, October 03, 2001 12:41 AM
Subject: Re: Best practices/HOWTO for key storage in small office/home
office setting?
> At 07:23 PM 10/02/2001 +0300, Sampo Syreeni wrote:
> >Or integrate some co
- Original Message -
From: "Ray Dillinger" <[EMAIL PROTECTED]>
To: "Enzo Michelangeli" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>; "Ben Laurie" <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>; "Hadmut Danisch" <[EMAIL PRO
On Mon, 24 Sep 2001 [EMAIL PROTECTED] wrote:
> If it was so easy ... it wouldn't be a problem. An objective of the
> original e-commerce deployments was that the account number file not be
> co-located on the webserver. Since a large number of subsequent deployments
> have co-located on the webse
- Original Message -
From: "Steven M. Bellovin" <[EMAIL PROTECTED]>
To: "Bill Frantz" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>; "Ben Laurie" <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Tuesday, September 25, 2001 6:31 AM
Subject: Re: [FYI] Did Encryption Empower These Terrorists?
>
Or also their XML equivalents:
http://xml.coverpages.org/xml-spki.html
Enzo
- Original Message -
From: "Paul Crowley" <[EMAIL PROTECTED]>
To: "Peter Gutmann" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Thursday, Septem
- Original Message -
From: "Theodore Tso" <[EMAIL PROTECTED]>
To: "John Gilmore" <[EMAIL PROTECTED]>
Cc: "Pawel Krawczyk" <[EMAIL PROTECTED]>; "Bram Cohen"
<[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Thursday, September 20, 2001 5:17 AM
Subject: Re: chip-level rando
- Original Message -
From: "Greg Broiles" <[EMAIL PROTECTED]>
To: "Enzo Michelangeli" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Monday, June 25, 2001 1:32 AM
Subject: Re: crypto flaw in secure mail standards
[...]
> The digital signatu
A question for legal experts on the list: Does all this pose legal risks
within the current legal framework? In other word, do current digital
signature laws assume that also the headers are assumed to be authenticated
and non-repudiable if the message is digitally signed?
Enzo
- Original Me
- Original Message -
From: "William Allen Simpson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, June 06, 2001 12:59 PM
Subject: secure phone (was Re: Starium...)
> Now, the question is where to put the encryption. PPP has it. IP has
> it. But, I expect that VoIP/RTP wou
- Original Message -
From: "Peter Gutmann" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Thursday, June 07, 2001 5:23 AM
Subject: Re: secure phone (was Re: Starium...)
[...]
> Given that most people are going to be sitting at PCs or have laptops with
> them, what
- Original Message -
From: "Greg Broiles" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; "Enzo Michelangeli" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Monday, June 04, 2001 2:00 AM
Subject: Re: Lie in X.BlaBla...
[...]
> It does no
- Original Message -
From: "Greg Broiles" <[EMAIL PROTECTED]>
To: "Enzo Michelangeli" <[EMAIL PROTECTED]>; "R. A. Hettinga"
<[EMAIL PROTECTED]>; "Matt Crawford" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Thursd
On another mailing list, someone posted an interesting question: how to
ascertain that a tamperproof device (e.g., a smartcard) contains no hidden
backdoors? By definition, anything open to inspection is not tamperproof. Of
course, one can ask the manufacturer to disclose the design, but there is
ays work
end-to-end.
Besides, the fact that many users don't check the validity of the certs
presented by the other side is a disgrace, and should not be encouraged by
distributing broken software.
Enzo
- Original Message -
From: "vertigo" <[EMAIL PROTECTED]>
To: &
I don't know if anybody already noticed, but Outlook Express (at least the
version 5.5) blindly accepts any server certificate presented by a pop3s
(POP3 over SSL) server, without trying to validate it against a
locally-stored parent cert. This implies, for example, that roaming users
won't be abl
35 matches
Mail list logo