RE: X.BlaBla in PGP??? BWAHAHAHAHAHA!!!!

2000-03-06 Thread Phillip Hallam-Baker 

>Technically speaking it's not really supported by X.509 either because
CRL's
>don't really work (see for example the FC'99 proceedings for more details
on
>this, along with suggestions on how to fix it).

I think you are probably refering to Ron's paper in FC'98. I presented an
alternative and somewhat radical architecture at RSA'99 which demonstrated
that it was practical to distribute revocation info in real time for a
population of 5 billion certs.

There is also the IETF work by Mike Myers and myself on OCSP and OCSP-X
respectively.


> This isn't a problem with Outlook or MS (for once :-) but a
>problem with the whole CRL concept.

Agreed, I see CRLs as a draft architecture that was good enough for circa
1990 but not so hot come deployment a decade later. But it is quite
possible
to provide a workable solution in context.


> An option which I like (because
>it's efficient and fast) is to have a BIND-style daemon which snarfs
CRL's
>from wherever[0] every now and then and answers validity check queries
very
>quickly (millisecond response time, so the user won't even notice it's
>happened).  I hope to have a paper on this out RSN.

I will send you the paper I wrote for RSA '99. I describe precisely that
type
of architecture. The argument I make is that we should migrate to that
type
of architecture in the long term. OCSP provides a very usefull staging
ground.


Phill

 smime.p7s

RE: NSA transitioning to commercial services model

1999-10-22 Thread Phillip Hallam-Baker 

Too late. Many of the employees have transitioned into the
private sector of their own accord long ago.

What we are seeing however is strong pressure from governments
worldwide on industry to invest in computer security. The
threat of information warfare is certainly being taken seriously
and there is a realization that the military depends on the
civilian infrastructure.

Governments are also positioning themselves to push on this
topic because they realize that the security infrasructure
needed to protect against infowar is also the enabling
infrastructure for electronic commerce. Hence the appointment
in the UK of an 'e-envoy'.

If it wasn't for Y2K and the euro conversion this pressure
would be being felt today. Europe knows exactly what it is
doing with their privacy directive, they are forcing industry
to build infrastructure.

Liberflamage on the morality of this to /dev/null please.
Governments exist, get over it.


Phill

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Robert Hettinga
Sent: Friday, October 22, 1999 9:26 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: NSA transitioning to commercial services model


The NSA continues to discover that financial cryptography is the only
cryptography that matters.

As Whit Diffie has said in the same vein, "InfoWar", whatever *that*
means, will be "fought" between businesses and private individuals,
and not governments. There's little that government crypto/security
agencies can do to assist entities in those conflicts, any more than
post-feudal religion could help much in conflicts between secular
nation-states.

So, in keeping with the spirit of the following article, I propose
that the US Government should follow their apparent instincts here,
privatize the NSA, and take it, heh..., public.

Cheers,
RAH

It's going to happen anyway, of course...



--- begin forwarded text


Mailing-List: contact [EMAIL PROTECTED]
From: "Dan S" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Date: Fri, 22 Oct 1999 07:59:31 -0400
Subject: IP: Super-secret NSA transitioning to commercial services model

>From http://www.fcw.com/pubs/fcw/1999/1018/web-nsa-10-21-99.html
-
OCTOBER 21, 1999 . . . 11:29 EDT



Super-secret NSA transitioning to commercial services model

BY DIANE FRANK ([EMAIL PROTECTED])

The National Security Agency, the enigmatic signals intelligence arm of the
Defense Department, is breaking away from its traditional role of building
"black boxes" for encrypting highly classified information in favor of
offering security and certification services similar to those in commercial
industry.

Mike Jacobs, deputy director of information systems at NSA, said that while
the agency "will always have a traditional portion of our business building
'black boxes' . . . we are an organization in transition."

The agency increasingly is offering security assessment, testing, red teams
and diagnostics services to other Defense and civilian agencies, Jacobs said
Wednesday at the National Information Systems Security Conference. "This is
the growth area [and a] burgeoning new business," he said.

Rather than doing all the testing and validation of its own products for
itself, NSA will be relying on the National Information Assurance
Partnership (NIAP), a joint validation effort between NSA and the National
Institute of Standards and Technology.

In the past, NSA endorsed security products and procedures, and encouraged
their use by assuring members of the Defense and intelligence community that
such products would be "bulletproof" solutions, said Lou Giles, a member of
the NIAP from NSA.

Now, instead of products receiving NSA's endorsement, agencies will have to
bring their protection profiles -- the description of their information
environment and security needs -- to NSA, which will then certify that
process as one that meets certain NSA-approved security standards. NSA also
will evaluate and certify proposals from vendors.

"The customer still wants that NSA endorsement, Giles said. "But this is a
new philosophical paradigm of evaluation for commercial products that we're
moving to."

--
Dan S




-
To subscribe, send email to: [EMAIL PROTECTED]
To unsubsubscribe, send email to: [EMAIL PROTECTED]

--- end forwarded text


-
Robert A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

For help on using this list (especially unsubscribing), send a message to
"[EMAIL PROTECTED]" with one line of text: "help".

RE: Is SSL dead? (was Re: ECARM NEWS for October 06,1999 Second Ed.)

1999-10-07 Thread Phillip Hallam-Baker 

This is a problem with SSL 2.0 first discovered by Simon Spero then at
EIT.

It was fixed in SSL 3.0, that must be almost three years ago.

The server certificate now binds the public key to a specific Web server
address.

Phill

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Robert Hettinga
Sent: Wednesday, October 06, 1999 4:22 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Is SSL dead? (was Re: ECARM NEWS for October 06,1999 Second
Ed.)


At 2:00 PM -0400 on 10/6/99, [EMAIL PROTECTED] wrote:


> Title: Special Kurt's Closet: Is SSL dead?
> Resource Type: News letter
> Date: Semptember 30, 1999
> Source: Security Portal
> Author: Kurt Seifried
> Keywords: INTERNET/WWW,SECURITY ISSUES ,ONLINE SHOPPING ,SSL
>
> Abstract/Summary:
> The title is a bit scary, but I wanted to get your attention 
>(worked, didn't it?). Most
> security experts have been aware of problems with SSL, but 
>generally speaking we
> haven't said much because there wasn't much of a replacement 
>available for it,
> and it hasn't been exploited extensively (chances are it will be, 
>though). I'll start
> with an explanation of the basic attack, followed by some methods 
>to protect yourself,
> and finish with an interview with Dale Peterson of DigitalBond and 
>the summary.
>
> How to do it
>
> Let's say I want to scam people's credit card numbers, and don't 
>want to break into
> a server. What if I could get people to come to me, and voluntarily 
>give me their
> credit card numbers? Well, this is entirely too easy.
>
> I would start by setting up a web server, and copying a popular 
>site to it, say
> www.some-online-store.com, time required to do this with a tool 
>such as wget is
> around 20-30 minutes. I would then modify the forms used to submit 
>information
> and make sure they pointed to my server, so I now have a copy of
> www.some-online-store.com that looks and feels like the "real" 
>thing. Now, how do
> I get people to come to it? Well I simply poison their DNS caches 
>with my information,
> so instead of www.some-online-store.com pointing to 1.2.3.4, I 
>would point it to
> my server at 5.6.7.8. Now when people go to 
>www.some-online-store.com they end
> up at my site, which looks just like the real one.
>
> Original URL: http://securityportal.com/closet/closet19990930.html
>
> Added: Wed  Oct  6 12:41:14 -040 1999
> Contributed by: Keeffee

-
Robert A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

For help on using this list (especially unsubscribing), send a message to
"[EMAIL PROTECTED]" with one line of text: "help".

RE: What was the quid pro quo for Wassenaar countries?

1998-12-05 Thread Phillip Hallam-Baker 

John Gilmore may be right, but remember folks that in Europe we have this
thing the Greeks invented called democracy. One of the ideas of democracy
is that decisions are not made in secret closed meetings.

The interpretation of the US ambassador appears to be based on the
assumption
that the governmental proceedures of democratic countries are like those of
his home country. In fact European governments cannot make law simply by
telling the national police force to arrest folk who engage in particular
behaviour.

The system of checks and balances may be described in the US constitution
but it is entrenched in the European polity. The UK does not have a national
police force precisely to stop Hooverism.

Even directives of the European Commission do not have legal force until the
national parliaments enact legislation to implement the directive.

One should also remember that the government of the Netherlands has agreed
to control the sale and use of narcotics. If their efforts to control
cryptography are as dilligent we have nothing to worry about.

In addition under the single European act the entire country of Europe is
one export zone for crypto control purposes. I fail to see that stopping
Brits from exporting crypto to the US changes the equation a great deal.


There once was an English king called Canute who attempted to demonstrate
to his courtiers that he was fallible and could not order the tide to
turn. Perhaps Clinton's courtiers need to learn that they suffer the same
limmitation.

Phill

RE: Digicash bankruptcy

1998-11-06 Thread Phillip Hallam-Baker 



> > Finaly I have difficulty regarding Digicash as being all that socially
> > responsible. Chaum's problems had a lot to do with the business terms
> > he insisted on. What he had was a technology which allowed an 
> improvement
> > to a payment system. He imagined he had a monopoly on the only feasible
> > solution. He was very baddly mistaken. The monopoly rents he demanded
> > were more than the market was willing to pay for a working and deployed
> > system - let alone for a patent license.
> 
> Where does the "monopoly rents" comment come from?  
> 
> In other words, on what basis are you making that statement?

Chaum's reported demands for patent licensing fees were consistently
above 10-20% of the service revenue plus a significant up front fee.
Those levels are more usually associate with a monopolistic patent,
hence 'monopoly rent'.

The fact that Chaum didn't have the monopoly he appeared to imagine
is probably why nobody was queuing up to pay his demands.


Phill

RE: Digicash bankruptcy

1998-11-06 Thread Phillip Hallam-Baker 

Phil is right in much of what he says but in a couple of cases he
is wrong.

Regarding the 'vortex of buzz technologies', VRML, network computers
and push are certainly not hot properties at the moment, neither is
interactive TV - but the Web was designed as the antithesis of 
Interactive TV. The root failure of Interactive TV was the assumption
that the world wanted to spend its time passively consuming the dross
pumped out through a 1000 channel 120" TV which would dominate the home.

I would also like to add Java onto the pile. Java today is simply
what C++ should have been. It does not revolutionize the programming
industry, it simply provides what some people think is an object
oriented programming environment and removes some of the worst 
legacy clutter of C.

Cryptographic payment systems are here - in the form of credit card
transactions over SSL. The main problem with SET and its competitors
is that SSL works a little too well.

That is not to say that there is no future for SET. SSL and credit
cards are unlikely to make the leap from the consumer market to the
business to business market. SET provides an ideal platform to 
integrate the use of the credit card infrastructure for business
payments.

The other area where I would disagree is over protocols. HTTP is
quite radically different to FTP in that it is a computer client
to computer server protocol. The metaphor of FTP is rumaging through
a filing cabinet. The HTTP and Web mechanism employs a locator.
Admittedly there was nothing to stop a text mode Web being created
in 1982 but nobody did so.

What is true is that the time taken for Internet technologies to move
to market is very slow. Much of the HTTP technology that just reached 
the market was proposed in '92 and '93. 

Finaly I have difficulty regarding Digicash as being all that socially
responsible. Chaum's problems had a lot to do with the business terms
he insisted on. What he had was a technology which allowed an improvement
to a payment system. He imagined he had a monopoly on the only feasible
solution. He was very baddly mistaken. The monopoly rents he demanded
were more than the market was willing to pay for a working and deployed
system - let alone for a patent license.

Phill