Re: [cryptography] Hi guys, looking for a talanted crypto for an early stage funded bitcoin-related startup.

[Peter Gutmann]

John Levine  writes:

>>I'm looking for a talanted crypto for an early stage funded bitcoin-related
>>startup,
>
>I have to ask: funded with what?

I'd actually misread the original post as "bitcoin-funded", and thought "yeah,
that'd be about right" :-).

Peter.
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] How are expired code-signing certs revoked?

[Jon Callas]

On 10 Dec, 2011, at 11:58 PM, Peter Gutmann wrote:

> Jon Callas  writes:
> 
>> If someone actually built such combination of OS and marketplace, it would
>> work for the users very well, but developers would squawk about it. Properly
>> done, it could drop malware rates to close to nil.
> 
> Oh, developers would do more than squawk about it.  Both Java and .NET
> actually support the capability-based security that you mentioned, but it's so
> painful to use that it's either turned off by default (.NET's 'trust
> level="Full"') or was turned off after massive developer backlash (Java).
> Even the very minimal capabilities used by Android are failing because of the
> dancing bunnies and confused deputy problems, and because developers request
> as close to any/any as they can get just in case (exacerbating the confused
> deputy problem).
> 
> (One of the nice things about Android is that it's fairly easy to decompile
> and analyse the code, so there have been all sorts of papers published on its
> capability-based security mechanisms using this technique.  It's serving as a
> nice real-world empirical evaluation of failure modes of capability-based
> security systems.  I'm sure someone could get a good thesis out of it at some
> point).
> 
>> Properly done, it could drop malware rates to close to nil.
> 
> Objection, tautology: Properly done, any (malware-related) security measure
> would drop malware rates close to nil.  The problem is doing it properly...
> 

Yes, doing it properly is the key and I'll assert that Apple is doing a pretty 
good approximation of it. They are doing more or less what I described -- good 
coding enforcement backed up with digital signatures. There are plenty of 
people squawking about it. I know developers who've thrown up their hands and 
there is plenty of grumpiness I've heard. Some of it reasonable grumpiness, too.

But the end result for the users is that malware rate is close to zero. The 
system is by no means perfect, and has side-effects. But the times when 
something slipped through the net are so few that they're notable still. (And 
some of the malware has been kinda charming, like the flashlight app that had a 
hidden SOCKS proxy that let people use it for tethering.) More importantly, the 
system does not throw things at the users that they're incapable of handling, 
like the Android way of just informing you what capabilities an app needs. 
People can and do just hand devices to their kids and let them use them with no 
ill effects.

Jon


___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Hi guys, looking for a talanted crypto for an early stage funded bitcoin-related startup.

[John Levine]

>I'm looking for a talanted crypto for an early stage funded bitcoin-related
>startup,

I have to ask: funded with what?

R's,
John
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] How are expired code-signing certs revoked?

[ianG]

On 8/12/11 02:11 AM, d...@geer.org wrote:

Another wrinkle, at least as a logic problem, would be
whether you can revoke the signing cert for a CRL and
what, exactly, would that mean -- particularly if the
last known good date is well astern and hence the
revocation would optimally be retroactive.


Is the logical answer here that you have to treat the signing cert for a 
CRL at the same level as the root concerned?


So a CRL-signing cert for a sub-root (generally one and the same thing) 
would (both) want to be revoked at the root level, that is, appear in 
the CRL as signed by the root.  Whether it works that way in practice, I 
don't know.  I suppose I should...


In PKI it's a fairly well established principle that the layer one up 
has to revoke [0].  So, when some roots needed to be revoked recently, 
browsers had to ship new software.  Vendors are the ueber-CA.  
Therefore, the CRL/OCSP certs for a root can only be revoked at software 
level.



--dan, quite possibly in a rat hole


iang, we're all in rat holes together



[0] Unlike PGP where self can revoke self;  there are no layers.
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

[cryptography] Hi guys, looking for a talanted crypto for an early stage funded bitcoin-related startup.

[or perelman]

Hi guys,

I'm looking for a talanted crypto for an early stage funded bitcoin-related
startup,

If you are interested drop me a message for further details.

Thanks alot!

-- 
Kind regards

Or Perelman
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography