PGP 5.0i key gen vulnerability
Just one more reason to use GPG, at least so far... http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-05-22&[EMAIL PROTECTED] -- --Brad Bradley M. Alexander | Co-Chairman, Beowulf System Admin/Security Specialist |NoVALUG/DCLUG Security SIG Winstar Telecom | [EMAIL PROTECTED] (703) 889-1049 | [EMAIL PROTECTED] "Complaining during downsizing is like playing with a pogo stick in a foxhole. It feels good, but it doesn't last." --Scott Adams "The Dilbert Future" pgpUe2uzrBwjX.pgp Description: PGP signature
[no subject]
unsubscribe
Re: On the security of e-mails
On 26-May-2000 Alexander Hvostov wrote: > Bradley, > > Uhm, isn't Sendmail's SMTP-over-SSL thing supposed to conform to some > standard..? I seriously doubt the other endpoint has to be > Sendmail; rather, I think it probably only needs to be running a proper > SMTP-over-SSL implementation. If this is the case, then this can be done > with stunnel and your favorite MTA. (mine being qmail... why doesn't > everyone use qmail..?) I think it is standard because I read the postfix TLS enhancement doc's and here is snip from description: Overview: = - This is an SSL/TLS enhancement package for postfix. It realizes (well, or at least should, once it is finished) the STARTTLS extension to SMTP as described in RFC2487 and used by Netscape 4.5x. RFC2487 is "SMTP Service Extension for Secure SMTP over TLS" So, all SMTP MTA's with SSL/TLS should cooperate, shouldn't they? -- E-Mail: Milan P. Stanic <[EMAIL PROTECTED]> Key fingerprint = EA81 54A6 7F35 5A38 FCE6 9EF6 9D24 E68E 5C1D AF15 --
Re: On the security of e-mails
Ethan, No. RSA does. And they have the agreement of enough people (whereas MS doesn't) to push the feds into sticking to relaxed crypto export controls. "Remember, if you don't keep the crypto laws relaxed, none of us will vote for you... nor will our supporters." Regards, Alex. --- PGP/GPG Fingerprint: EFD1 AC6C 7ED5 E453 C367 AC7A B474 16E0 758D 7ED9 -BEGIN GEEK CODE BLOCK- Version: 3.12 GCM d- s:+ a--- C UL P L+++ E W++ N o-- K- w O--- M- V- PS+ PE- Y PGP t+ 5 X- R tv+ b DI--- D+ G e-- h++ r--- y --END GEEK CODE BLOCK-- On Fri, 26 May 2000, Ethan Benson wrote: > On Fri, May 26, 2000 at 02:37:59AM -0700, Alexander Hvostov wrote: > > Ethan, > > > > Only one problem. Charlie Brown doesn't have hordes of lawyers. > > and the Free software movement does? > > MS has hoards of lawyers and billions of dollors and even they are not > escaping the US govt ;-) > > -- > Ethan Benson > http://www.alaska.net/~erbenson/ >
Re: On the security of e-mails
On Fri, May 26, 2000 at 02:37:59AM -0700, Alexander Hvostov wrote: > Ethan, > > Only one problem. Charlie Brown doesn't have hordes of lawyers. and the Free software movement does? MS has hoards of lawyers and billions of dollors and even they are not escaping the US govt ;-) -- Ethan Benson http://www.alaska.net/~erbenson/ pgp9BRXD9eBIe.pgp Description: PGP signature
Re: On the security of e-mails
Ethan, Only one problem. Charlie Brown doesn't have hordes of lawyers. Regards, Alex. --- PGP/GPG Fingerprint: EFD1 AC6C 7ED5 E453 C367 AC7A B474 16E0 758D 7ED9 -BEGIN GEEK CODE BLOCK- Version: 3.12 GCM d- s:+ a--- C UL P L+++ E W++ N o-- K- w O--- M- V- PS+ PE- Y PGP t+ 5 X- R tv+ b DI--- D+ G e-- h++ r--- y --END GEEK CODE BLOCK-- On Fri, 26 May 2000, Ethan Benson wrote: > On Fri, May 26, 2000 at 02:19:06AM -0700, Alexander Hvostov wrote: > > Ethan, and everyone, > > > > I seem to keep having to repeat myself: the USA recently relaxed its > > crypto export controls. I'm not certain if that means I can download > > OpenSSL and then send it to someone in > country here>, but I believe I can. > > well i personally don't really buy it, i have yet to find anyone who > can give a truly clear and unambiguous answer to the question. and i > have also heard that the current relaxation is just a `evaluation' > and they may very well reverse it again. > > you ever read `Peanuts'? the classic strip where Lucy pulls the > football away as Charlie Brown comes running to kick it springs to > mind... > > -- > Ethan Benson > http://www.alaska.net/~erbenson/ >
Re: On the security of e-mails
On Fri, May 26, 2000 at 02:19:06AM -0700, Alexander Hvostov wrote: > Ethan, and everyone, > > I seem to keep having to repeat myself: the USA recently relaxed its > crypto export controls. I'm not certain if that means I can download > OpenSSL and then send it to someone in country here>, but I believe I can. well i personally don't really buy it, i have yet to find anyone who can give a truly clear and unambiguous answer to the question. and i have also heard that the current relaxation is just a `evaluation' and they may very well reverse it again. you ever read `Peanuts'? the classic strip where Lucy pulls the football away as Charlie Brown comes running to kick it springs to mind... -- Ethan Benson http://www.alaska.net/~erbenson/ pgppMeEnjZJLl.pgp Description: PGP signature
Re: On the security of e-mails
Sergio, It would be useless to try and use SSL for debian-security, because it is a publicly accessible list, which sort of defeats the purpose of SSL... Regards, Alex. --- PGP/GPG Fingerprint: EFD1 AC6C 7ED5 E453 C367 AC7A B474 16E0 758D 7ED9 -BEGIN GEEK CODE BLOCK- Version: 3.12 GCM d- s:+ a--- C UL P L+++ E W++ N o-- K- w O--- M- V- PS+ PE- Y PGP t+ 5 X- R tv+ b DI--- D+ G e-- h++ r--- y --END GEEK CODE BLOCK-- On Fri, 26 May 2000, Sergio Brandano wrote: > > Alexander Hvostov wrote > > > ...Unless you encrypt to a public key belonging to everyone on the > > mailing list, which certainly can be done, though this means > > distributing the appropriate public/private key pair, so the keys > > themselves would also have to be encrypted, probably to each > > individual user. > > > > Of course, you could also implement something like a bulletin board > > on HTTP over SSL instead... or maybe SMTP over SSL to each individual > > list subscriber. (insecure; most subscribers don't run their own mail > > server) > > I have a comment on this, related to the never ending battle against > SPAM. Why is that mailing lists, that are open only to subscribers, > make public the content of thir messages (including addresses) on the > web? Yes, archiving. But that opens the way to address collection. > > I like your proposal of using SSL for this list. And I think we > should give it a try. > > Sergio >
Re: On the security of e-mails
Ethan, and everyone, I seem to keep having to repeat myself: the USA recently relaxed its crypto export controls. I'm not certain if that means I can download OpenSSL and then send it to someone in , but I believe I can. Regards, Alex. --- PGP/GPG Fingerprint: EFD1 AC6C 7ED5 E453 C367 AC7A B474 16E0 758D 7ED9 -BEGIN GEEK CODE BLOCK- Version: 3.12 GCM d- s:+ a--- C UL P L+++ E W++ N o-- K- w O--- M- V- PS+ PE- Y PGP t+ 5 X- R tv+ b DI--- D+ G e-- h++ r--- y --END GEEK CODE BLOCK-- On Thu, 25 May 2000, Ethan Benson wrote: > On Fri, May 26, 2000 at 12:19:33AM -0700, Alexander Hvostov wrote: > > Sergio, > > > > That's what GPG and a good MUA like Pine is for. Let's see "Big > > Brother" crack 1024-bit public key crypto anytime this decade... > > > > I know you can't legally do this in France; if you have a desire for your > > email to be private, then I suggest moving to a country whose crypto > > policies are not brain-dead, such as the USA, Canada, the UK, and so >^^^ > > USA does not have brain-dead crypto policies? well maybe not on use > inside the borders but its policy on crypto is most certainly very > brain-dead... > > -- > Ethan Benson > http://www.alaska.net/~erbenson/ >
Re: On the security of e-mails
We'll soon be getting braindead crypto laws in the UK if the RIP bill goes through. RIP details at http://www.stand.org.uk/ On Fri, 26 May 2000, Alexander Hvostov wrote: > Sergio, > > That's what GPG and a good MUA like Pine is for. Let's see "Big > Brother" crack 1024-bit public key crypto anytime this decade... > > I know you can't legally do this in France; if you have a desire for your > email to be private, then I suggest moving to a country whose crypto > policies are not brain-dead, such as the USA, Canada, the UK, and so > on. > > Regards, > > Alex. > > --- > PGP/GPG Fingerprint: > EFD1 AC6C 7ED5 E453 C367 AC7A B474 16E0 758D 7ED9 > > -BEGIN GEEK CODE BLOCK- > Version: 3.12 > GCM d- s:+ a--- C UL P L+++ E W++ N o-- K- w > O--- M- V- PS+ PE- Y PGP t+ 5 X- R tv+ b DI--- D+ > G e-- h++ r--- y > --END GEEK CODE BLOCK-- > Ben White 01473 403020 KeConnect Internet http://www.keconnect.co.uk/
Re: On the security of e-mails
Alexander Hvostov wrote > ...Unless you encrypt to a public key belonging to everyone on the > mailing list, which certainly can be done, though this means > distributing the appropriate public/private key pair, so the keys > themselves would also have to be encrypted, probably to each > individual user. > > Of course, you could also implement something like a bulletin board > on HTTP over SSL instead... or maybe SMTP over SSL to each individual > list subscriber. (insecure; most subscribers don't run their own mail > server) I have a comment on this, related to the never ending battle against SPAM. Why is that mailing lists, that are open only to subscribers, make public the content of thir messages (including addresses) on the web? Yes, archiving. But that opens the way to address collection. I like your proposal of using SSL for this list. And I think we should give it a try. Sergio
Re: On the security of e-mails
On Fri, May 26, 2000 at 12:19:33AM -0700, Alexander Hvostov wrote: > Sergio, > > That's what GPG and a good MUA like Pine is for. Let's see "Big > Brother" crack 1024-bit public key crypto anytime this decade... > > I know you can't legally do this in France; if you have a desire for your > email to be private, then I suggest moving to a country whose crypto > policies are not brain-dead, such as the USA, Canada, the UK, and so ^^^ USA does not have brain-dead crypto policies? well maybe not on use inside the borders but its policy on crypto is most certainly very brain-dead... -- Ethan Benson http://www.alaska.net/~erbenson/ pgpmIS4PYEupv.pgp Description: PGP signature
Re: On the security of e-mails
Julien, The US has relaxed its crypto export laws. I understand crypto can be exported freely now, though I'm not going to try that until I have a nice lawyer to talk to... Regards, Alex. --- PGP/GPG Fingerprint: EFD1 AC6C 7ED5 E453 C367 AC7A B474 16E0 758D 7ED9 -BEGIN GEEK CODE BLOCK- Version: 3.12 GCM d- s:+ a--- C UL P L+++ E W++ N o-- K- w O--- M- V- PS+ PE- Y PGP t+ 5 X- R tv+ b DI--- D+ G e-- h++ r--- y --END GEEK CODE BLOCK-- On Fri, 26 May 2000, Julien Stern wrote: > On Fri, May 26, 2000 at 12:19:33AM -0700, Alexander Hvostov wrote: > > Sergio, > > > > That's what GPG and a good MUA like Pine is for. Let's see "Big > > Brother" crack 1024-bit public key crypto anytime this decade... > > > > I know you can't legally do this in France; if you have a desire for your > > email to be private, then I suggest moving to a country whose crypto > > policies are not brain-dead, such as the USA, Canada, the UK, and so > > on. > > > Well, > I know it has been terrible for quite a long time, but > crypto is now legal in France. You can use PGP, GPG or any other > software. As far as I rembember, the only limit is 128 bits on > _private_ keys systems, which is more than enough. > > I also believe there are some restrictions if you want to create > and/or export a software that includes crypto, but certainly not > as many restrictions than in the US, for example :) > > Regards, > Julien > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
Re: On the security of e-mails
On Fri, May 26, 2000 at 12:19:33AM -0700, Alexander Hvostov wrote: > Sergio, > > That's what GPG and a good MUA like Pine is for. Let's see "Big > Brother" crack 1024-bit public key crypto anytime this decade... > > I know you can't legally do this in France; if you have a desire for your > email to be private, then I suggest moving to a country whose crypto > policies are not brain-dead, such as the USA, Canada, the UK, and so > on. > Well, I know it has been terrible for quite a long time, but crypto is now legal in France. You can use PGP, GPG or any other software. As far as I rembember, the only limit is 128 bits on _private_ keys systems, which is more than enough. I also believe there are some restrictions if you want to create and/or export a software that includes crypto, but certainly not as many restrictions than in the US, for example :) Regards, Julien
Re: On the security of e-mails
Bradley, Uhm, isn't Sendmail's SMTP-over-SSL thing supposed to conform to some standard..? I seriously doubt the other endpoint has to be Sendmail; rather, I think it probably only needs to be running a proper SMTP-over-SSL implementation. If this is the case, then this can be done with stunnel and your favorite MTA. (mine being qmail... why doesn't everyone use qmail..?) Regards, Alex. --- PGP/GPG Fingerprint: EFD1 AC6C 7ED5 E453 C367 AC7A B474 16E0 758D 7ED9 -BEGIN GEEK CODE BLOCK- Version: 3.12 GCM d- s:+ a--- C UL P L+++ E W++ N o-- K- w O--- M- V- PS+ PE- Y PGP t+ 5 X- R tv+ b DI--- D+ G e-- h++ r--- y --END GEEK CODE BLOCK-- On Thu, 25 May 2000 [EMAIL PROTECTED] wrote: > Sendmail is also beginning to address this issue. 8.11.x is supposed to > include SSL code to do end-to-end encryption. However, this still leaves > an opening at the destination host for snooping. Aside from that, this > assumes that both ends are using sendmail 8.11, which is a pipe dream for > a while to come. For end-to-end security, PGP or GPG encryption is the way > to go. > > On Thu, May 25, 2000 at 09:14:20AM -0500, Daniel Taylor wrote: > > The closest reliable method in that area is PGP encryption > > of e-mail. In theory only those people who have the message > > signed with their public key will be able to read it. > > > > In practice I haven't heard otherwise. > > > > The only place where it isn't appropriate to encrypt (maybe only sign) > > is on public mailing lists. > > > > Daniel TaylorEmbedded and custom Linux integration. > > [EMAIL PROTECTED] (612)747-1609 > > -- > --Brad > > Bradley M. Alexander | Co-Chairman, > Beowulf System Admin/Security Specialist |NoVALUG/DCLUG Security SIG > Winstar Telecom | [EMAIL PROTECTED] > (703) 889-1049 | [EMAIL PROTECTED] > > Never draw fire, it irritates everyone around you. > --Murphy's Laws of Combat >
Re: On the security of e-mails
Daniel, ...Unless you encrypt to a public key belonging to everyone on the mailing list, which certainly can be done, though this means distributing the appropriate public/private key pair, so the keys themselves would also have to be encrypted, probably to each individual user. Of course, you could also implement something like a bulletin board on HTTP over SSL instead... or maybe SMTP over SSL to each individual list subscriber. (insecure; most subscribers don't run their own mail server) Regards, Alex. --- PGP/GPG Fingerprint: EFD1 AC6C 7ED5 E453 C367 AC7A B474 16E0 758D 7ED9 -BEGIN GEEK CODE BLOCK- Version: 3.12 GCM d- s:+ a--- C UL P L+++ E W++ N o-- K- w O--- M- V- PS+ PE- Y PGP t+ 5 X- R tv+ b DI--- D+ G e-- h++ r--- y --END GEEK CODE BLOCK-- On Thu, 25 May 2000, Daniel Taylor wrote: > The closest reliable method in that area is PGP encryption > of e-mail. In theory only those people who have the message > signed with their public key will be able to read it. > > In practice I haven't heard otherwise. > > The only place where it isn't appropriate to encrypt (maybe only sign) > is on public mailing lists. > > Daniel TaylorEmbedded and custom Linux integration. > [EMAIL PROTECTED] (612)747-1609 > > On Thu, 25 May 2000, Sergio Brandano wrote: > > > > > I would like to raise the problem of the security of electronic > > mail. The problem popped into my mind a while ago, while reading > > about Italian legislation on the privacy and, in particular, of > > paper mail. I always wanted to draw the issue to the attention of the > > ``hi spheres'', but I am now in the UK, and the whole thing went into > > the limbo. The problem is simply as follows: there is no legislation > > that enforces the privacy of electronic mail. On the practical side, > > there is no software method currently implemented at large that > > allows the receiver, and only the receiver, to read his/her own mail. > > The secure transmission of mail is part of the whole process. > > The similar issue can easily be extended to the Internet, where sites > > (from the very client to the very server) can record your preferences, > > as if there were a big brother that spies on you and writes all down. > > An immediate consequence of it are all the SPAM mail selling > > financial services... > > > > Sergio > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
Re: On the security of e-mails
Sergio, That's what GPG and a good MUA like Pine is for. Let's see "Big Brother" crack 1024-bit public key crypto anytime this decade... I know you can't legally do this in France; if you have a desire for your email to be private, then I suggest moving to a country whose crypto policies are not brain-dead, such as the USA, Canada, the UK, and so on. Regards, Alex. --- PGP/GPG Fingerprint: EFD1 AC6C 7ED5 E453 C367 AC7A B474 16E0 758D 7ED9 -BEGIN GEEK CODE BLOCK- Version: 3.12 GCM d- s:+ a--- C UL P L+++ E W++ N o-- K- w O--- M- V- PS+ PE- Y PGP t+ 5 X- R tv+ b DI--- D+ G e-- h++ r--- y --END GEEK CODE BLOCK-- On Thu, 25 May 2000, Sergio Brandano wrote: > > I would like to raise the problem of the security of electronic > mail. The problem popped into my mind a while ago, while reading > about Italian legislation on the privacy and, in particular, of > paper mail. I always wanted to draw the issue to the attention of the > ``hi spheres'', but I am now in the UK, and the whole thing went into > the limbo. The problem is simply as follows: there is no legislation > that enforces the privacy of electronic mail. On the practical side, > there is no software method currently implemented at large that > allows the receiver, and only the receiver, to read his/her own mail. > The secure transmission of mail is part of the whole process. > The similar issue can easily be extended to the Internet, where sites > (from the very client to the very server) can record your preferences, > as if there were a big brother that spies on you and writes all down. > An immediate consequence of it are all the SPAM mail selling > financial services... > > Sergio > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >