Key Management Interoperability Protocol (KMIP)
Probably of interest to this group... http://www.webwire.com/ViewPressRel.asp?aId=87063 Best regards, Darren Lasko Principal Engineer Advanced Development Group, Storage Products Fujitsu Computer Products of America [Moderator's note: the page is about something called KMIP that a few companies seem to have privately developed. It is generally considered friendly to include enough information with a forwarded URL so that readers can decide if they want to look at what is being referenced. I may start being strict about that in the future. --Perry] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
RE: Property RIghts in Keys
Hi all, Say I have discovered a marvelous method of easily factoring RSA keys, which unfortunately the margin of this emacs buffer is too small to contain, and I then go out, factor GeoTrust's CA key and issue a new certificate. Questions: Am I now infringing on GeoTrust's IP rights? Or have, rather, I made myself a co-owner in said rights on this particular key? Have I broken any law? If not, should what I have done be illegal? Here's a variant that I find interesting ;-). It's not about the public key but about the signature, another cryptograhic field in a certificate that shares many properties with keys. Say somebody has discovered a marvelous method of finding collisions for a hash function. Then he creates two certificates, of which the to-be-signed parts form a hash collision. Then he lets a CA sign one of them, and copies the signature into the other one, making that a certificate that is indistinguishable from a valid one issued by the CA. Has he broken any copyright law? I admit this is a purely hypothetical case. Or... maybe it isn't? Grtz, Benne de Weger - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: full-disk subversion standards released
Ben Laurie wrote: If I have data on my server that I would like to stay on my server and not get leaked to some third party, then this is exactly the same situation as DRMed content on an end user's machine, is it not? No. You want to keep control of the information on your server. DRM wants to deny the end user control of the information on the end user's machine. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: full-disk subversion standards released
Alexander Klimov wrote: On Wed, 11 Feb 2009, Ben Laurie wrote: If I have data on my server that I would like to stay on my server and not get leaked to some third party, then this is exactly the same situation as DRMed content on an end user's machine, is it not? The treat model is completely different: for DRM the attacker is the user who supposedly has complete access to computer, while for server the attacker is someone who has only (limited) network connection to your server. You wish. The threat is an attacker who has root on your machine. -- http://www.apache-ssl.org/ben.html http://www.links.org/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
no warrant required
From today's (13 Feb 2009) National Post: http://www.nationalpost.com/news/story.html?id=1283120 excerpt: An Ontario Superior Court ruling could open the door to police routinely using Internet Protocol addresses to find out the names of people online, without any need for a search warrant. Justice Lynne Leitch found that there is no reasonable expectation of privacy in subscriber information kept by Internet service providers (ISPs), in a decision issued earlier this week. -James signature.asc Description: OpenPGP digital signature
NSA offering 'billions' for Skype eavesdrop solution
Counter Terror Expo: News of a possible viable business model for P2P VoIP network Skype emerged today, at the Counter Terror Expo in London. An industry source disclosed that America's supersecret National Security Agency (NSA) is offering billions to any firm which can offer reliable eavesdropping on Skype IM and voice traffic. http://www.theregister.co.uk/2009/02/12/nsa_offers_billions_for_skype_pwnage/ --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Property RIghts in Keys
[Moderator's note: I've been clamping down on the IP discussion since not much more really new was being said, but I'm allowing this through because it brings up an interesting side point -- I will reply to it to move to that discussion. --Perry] * Perry E. Metzger: However, a cert seems almost certainly *not* to be IP. 1) It can't be a trade secret, it is published. 2) It can't be patented. 3) It can't be copyrighted, it contains no creativity. 4) It can't be trademarked because the company named in the DN is long gone (It's quite strange that so many of the browser root certs use DNs which aren't correct anymore.) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
The Magic of X.509 Certification (was Re: Property Rights in Keys)
Florian Weimer f...@deneb.enyo.de writes: 4) It can't be trademarked because the company named in the DN is long gone (It's quite strange that so many of the browser root certs use DNs which aren't correct anymore.) It isn't strange -- it is part of the fairly frightening ecology we've developed. Lets remember briefly how we got here... 1) Netscape wanted to deploy SSL 2) ...but to do that, they needed some way of getting people trust anchors for the certificate system... 3) ...and lacking time for any sort of real protocol, the easy move was just building them in to the browser binaries... 4) ...and everyone else followed suit... 5) ...so now, being one of the magic CAs who's root certs are distributed with the commonly used browsers (IE, Safari, Firefox, Opera, etc.) is a license to print money. 6) ...as a result of which, lots of CAs have been bought, sold and traded around repeatedly. This is all part and parcel of the problem that you can't *really* trust the CAs terribly much. The security of your browser is, to a large extent, dependent on the security practices of the least diligent CA built in to your browser. (There are loads of other problems too of course.) It is particularly interesting to me how far we've come from the original vision of X.509 -- indeed, a large fraction of our infrastructure now uses X.500 DNs and X.509 certs in a manner totally alien to the original vision for those technologies. There is no global X.500 directory, there is no rigidly central global certification hierarchy. The data formats have become a sort of mere magical incantation -- almost no one involved has any any knowledge of what any of it means, how it evolved, or what the real threats are. To a scary extent, this includes people making critical security decisions about the infrastructure. With my moderator hat on, I'm not *too* interested in opening this up again -- we've discussed it repeatedly in the past -- but I think a reminder isn't a bad thing. I'll forward posts that have something particularly new to say about the subject, or at least which say something old in a particularly interesting way. :) Perry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Property RIghts in Keys
On Feb 12, 2009, at 11:24 AM, Donald Eastlake wrote: On Thu, Feb 12, 2009 at 12:58 PM, Perry E. Metzger pe...@piermont.com wrote: s...@acw.com writes: ... There are four kinds of intellectual property. Is it a trade secret? No. Is it a trademark or something allied like trade dress? No. Is it patentable? No. Is it copyrightable? No. So, depending on how creative the extension fields are :-), or may not dependent on that, why isn't it copyrightable? For the same reason that phone books are not copyrightable. A certificate is nothing more than a directory entry with frosting and sprinkles. Jon - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com