Re: IBM to built crypto-on-a-chip into all its PCs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 29 Sep 1999, William H. Geiger III wrote: If you do not trust the crypto processor then you should throw the whole machine out - there are *so* many other ways that IBM could have compromised the system. So you suggest the head in the sand approach? There are so many different ways a system can be compromised so we will just ignore them all? Surely you are not naive enough to blindly trust someone's crypto black box just because they say it's secure? Surely you are not naive enough to blindly trust someone's black box of a CPU just because they say it is not contain trapdoors? This applies even more so for operating systems. Have you audited every line of Warp 4.0? Of course not, but you are willing to rant about the alleged insecurity of a crypto chip by the very same vendor. You don't see the inconsistency? Regards, Damien Miller - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.ilogic.com.au/~dmiller | Email: [EMAIL PROTECTED] (home) -or- [EMAIL PROTECTED] (work) -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE38t6QormJ9RG1dI8RAguOAKCa5hMRymU0i+dq31qR/Vseobmc8gCfegXY 80q/C5xn1dVVDcBNoSJ4yoU= =8iQs -END PGP SIGNATURE-
KeyNote RFC now available
The official version of the RFC describing "The KeyNote Trust Management System, Version 2" has been published as RFC 2704. This document provides the complete, official description of the KeyNote language syntax and semantics as well as a basic discussion of the architectural implications of integrating KeyNote into applications. KeyNote is a flexible "trust management" language that provides a unified approach to specifying and interpreting security policies, credentials, and relationships, giving applications a simple mechanism for determining whether potentially "dangerous" actions requested by users or over networks should be performed. KeyNote-based applications use a standard language for their security policies and credentials that provides a very simple and powerful mechanism for distributing policy control and delegating authority. Because local policies and distributed credentials are written in the same language, it is very easy to maintain a consistent approach to security policy as applications "scale up" from local to distributed. KeyNote is being used in a wide range of applications, including electronic commerce, control of IPSEC tunnels, and digital rights management. KeyNote is unpatented, and we have a free, open- source toolkit available for application developers. The KeyNote RFC can be downloaded via anonymous FTP from the official RFC directory (and, in the next few days, from the usual mirror sites): ftp://ftp.isi.edu/in-notes/rfc2704.txt I've also made a copy available on my web site, which seems to have better performance than ftp.isi.edu given the load on the latter: http://www.crypto.com/papers/rfc2704.txt Also, the official (non-beta) release of the KeyNote Trust Management open source reference implementation and toolkit will be available in the next couple of days; watch this space for an annoucement. -matt
IT Companies Promote New Standard For Phone Security (was Re:Edupage, 29 September 1999)
Why do I keep thinking "Radicchio" really gonna be another GSM "Pinocchio"? Cheers, RAH At 5:02 PM -0600 on 9/29/99, EDUCAUSE wrote: IT COMPANIES PROMOTE NEW STANDARD FOR PHONE SECURITY EDS, France's Gemplus, Sonera, and Ericsson have founded a forum called "Radicchio" to promote a world encryption standard. Known as "public key infrastructure," the technology provides security for mobile phone-based electronic commerce transactions. The technology can be embedded into a silicon chip that is located inside typical GSM handsets. Analysts believe that the mobile commerce market could reach $66 billion in the next four years, but forum founding members are concerned that security issues could impede the emerging market. The European initiative is currently pursuing new members, such as industry players and governments. Members of Radicchio say there could be 600 million mobile phones connected to the Internet by 2004, and easing security fears could go a long way toward making electronic transactions ubiquitous. (Financial Times 09/28/99) - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: IT Companies Promote New Standard For Phone Security (was Re: Edupage, 29 September 1999)
In v04210105b418868cf897@[207.244.108.117], on 09/29/99 at 11:29 PM, Robert Hettinga [EMAIL PROTECTED] said: Why do I keep thinking "Radicchio" really gonna be another GSM "Pinocchio"? Because money is more important than morality to these people. They will cave to the LEA's just like all those before them have. -- --- William H. Geiger III http://www.openpgp.net Geiger ConsultingCooking With Warp 4.0 Author of E-Secure - PGP Front End for MR/2 Ice PGP MR/2 the only way for secure e-mail. OS/2 PGP 5.0 at: http://www.openpgp.net/pgp.html Talk About PGP on IRC EFNet Channel: #pgp Nick: whgiii Hi Jeff!! :) ---