At Sat, 24 Jan 2009 14:55:15 +1300,
Peter Gutmann wrote:
> >Yes, the changes between TLS 1.1 and TLS 1.2 are about as big as those
> >between SSL and TLS. I'm not particularly happy about that either, but it's
> >what we felt was necessary to do a principled job.
>
> It may have been a nicely prin
On Sat, Jan 24, 2009 at 2:36 AM, Victor Duchovni
wrote:
> You seem to be out of touch I am afraid. Just look at what many O/S
> distributions do. They adopt a new OpenSSL 0.9.Xy release from time to
> time (for some initial "y") and back-port security fixes never changing
> the letter. One can't a
Eric Rescorla writes:
>At Tue, 20 Jan 2009 17:57:09 +1300, Peter Gutmann wrote:
>> "Steven M. Bellovin" writes:
>>
>> >So -- who supports TLS 1.2?
>>
>> Not a lot, I think. The problem with 1.2 is that it introduces a pile of
>> totally gratuitous incompatible changes to the protocol that requir
At Tue, 20 Jan 2009 17:57:09 +1300,
Peter Gutmann wrote:
>
> "Steven M. Bellovin" writes:
>
> >So -- who supports TLS 1.2?
>
> Not a lot, I think. The problem with 1.2 is that it introduces a pile of
> totally gratuitous incompatible changes to the protocol that require quite a
> bit of effort
On Fri, Jan 23, 2009 at 04:01:50PM +1100, Ben Laurie wrote:
> > I really hope to see
> > real OpenSSL patch releases some day with development of new features
> > *strictly* in the development snapshots. Ideally this will start with
> > 0.9.9a, with no new features, just bug-fixes, in [b-z]. ]
>
On Tue, Jan 20, 2009 at 5:14 AM, Victor Duchovni
wrote:
> On Mon, Jan 19, 2009 at 10:45:55AM +0100, Bodo Moeller wrote:
>
>> The RFC does exit (TLS 1.2 in RFC 5246 from August 2008 makes SHA-256
>> mandatory), so you can send a SHA-256 certificate to clients that
>> indicate they support TLS 1.2 o
Jon Callas writes:
>I've always been pleased with your answer to Question J, so I'll say what
>we're doing at PGP.
That wasn't really meant as a compliment :-). The problem is that by leaping
on things the instant they appear you end up having to support a menagerie of
wierdo algorithms and mec
On Mon, Jan 19, 2009 at 01:38:02PM +, Darren J Moffat wrote:
> I don't think it depends at all on who you trust but on what algorithms
> are available in the protocols you need to use to run your business or
> use the apps important to you for some other reason. It also very much
> depends
I have a general outline of a timeline for adoption of new crypto
mechanisms (e.g. OAEP, PSS, that sort of thing, and not specifically
algorithms) in my Crypto Gardening Guide and Planting Tips, http://www.cs.auckland.ac.nz/~pgut001/pubs/crypto_guide.txt
, see "Question J" about 2/3 of the way
"Steven M. Bellovin" writes:
>So -- who supports TLS 1.2?
Not a lot, I think. The problem with 1.2 is that it introduces a pile of
totally gratuitous incompatible changes to the protocol that require quite a
bit of effort to implement (TLS 1.1 -> 1.2 is at least as big a step, if not a
bigger s
On Mon, 19 Jan 2009 10:45:55 +0100
Bodo Moeller wrote:
> On Sat, Jan 17, 2009 at 5:24 PM, Steven M. Bellovin
> wrote:
>
> > I've mentioned it before, but I'll point to the paper Eric Rescorla
> > wrote a few years ago:
> > http://www.cs.columbia.edu/~smb/papers/new-hash.ps or
> > http://www.cs.
On Mon, Jan 19, 2009 at 10:45:55AM +0100, Bodo Moeller wrote:
> The RFC does exit (TLS 1.2 in RFC 5246 from August 2008 makes SHA-256
> mandatory), so you can send a SHA-256 certificate to clients that
> indicate they support TLS 1.2 or later. You'd still need some other
> certificate for interop
At 1:38 PM + 1/19/09, Darren J Moffat wrote:
>Can you state the assumptions for why you think that moving to SHA384 would be
>safe if SHA256 was considered vulnerable in some way please.
Sure. I need 128 bits of pre-image protection for, say, a digital signature.
SHA2/256 is giving me that.
Paul Hoffman wrote:
At 12:24 PM +0100 1/12/09, Weger, B.M.M. de wrote:
When in 2012 the winner of the
NIST SHA-3 competition will be known, and everybody will start
using it (so that according to Peter's estimates, by 2018 half
of the implementations actually uses it), do we then have enough
red
On Sat, Jan 17, 2009 at 5:24 PM, Steven M. Bellovin
wrote:
> I've mentioned it before, but I'll point to the paper Eric Rescorla
> wrote a few years ago:
> http://www.cs.columbia.edu/~smb/papers/new-hash.ps or
> http://www.cs.columbia.edu/~smb/papers/new-hash.pdf . The bottom line:
> if you're
At 12:24 PM +0100 1/12/09, Weger, B.M.M. de wrote:
>When in 2012 the winner of the
>NIST SHA-3 competition will be known, and everybody will start
>using it (so that according to Peter's estimates, by 2018 half
>of the implementations actually uses it), do we then have enough
>redundancy?
No offen
On Mon, 12 Jan 2009 16:05:08 +1300
pgut...@cs.auckland.ac.nz (Peter Gutmann) wrote:
> "Weger, B.M.M. de" writes:
>
> >> Bottom line, anyone fielding a SHA-2 cert today is not going=20
> >> to be happy with their costly pile of bits.
> >
> >Will this situation have changed by the end of 2010 (tha
nsition is a difficult decision to make.
> PS: I find it ironic that the sites (such as ftp.ccc.de/congress/25c3/)
> offering the video and audio files of the 25c3 presentation "MD5
> considered harmful today", provide for integrity checking of those
> files their, uhm, MD5 has
Hi Peter,
> I have a general outline of a timeline for adoption of new
> crypto mechanisms
> (e.g. OAEP, PSS, that sort of thing, and not specifically
> algorithms) in my
> Crypto Gardening Guide and Planting Tips,
> http://www.cs.auckland.ac.nz/~pgut001/pubs/crypto_guide.txt,
> see "Question J
"Weger, B.M.M. de" writes:
>> Bottom line, anyone fielding a SHA-2 cert today is not going=20
>> to be happy with their costly pile of bits.
>
>Will this situation have changed by the end of 2010 (that's next year, by the
>way), when everybody who takes NIST seriously will have to switch to SHA-2
Victor Duchovni wrote:
> There is a huge install-base of systems on which SHA-2
> certs will failed SSL handshakes. When Windows XP
> systems are <1% of the install-base, when OpenSSL
> 0.9.8 is <1% of the install-base and 0.9.9 too (if the
> support is not added before it goes official)
It is no
On Sat, Jan 10, 2009 at 11:32:44PM +0100, Weger, B.M.M. de wrote:
> Hi Victor,
>
> > Bottom line, anyone fielding a SHA-2 cert today is not going
> > to be happy with their costly pile of bits.
>
> Will this situation have changed by the end of 2010 (that's
> next year, by the way), when everyb
entence the word "intersection" should be
replaced by "union".]]
Grtz,
Benne de Weger
PS: I find it ironic that the sites (such as ftp.ccc.de/congress/25c3/)
offering the video and audio files of the 25c3 presentation "MD5
considered harmful today", provide for inte
On Thu, Jan 08, 2009 at 06:23:47PM -0600, Dustin D. Trammell wrote:
> Nearly everything I've seen regarding the proposed solutions to this
> attack have involved migration to SHA-1. SHA-1 is scheduled to be
> decertified by NIST in 2010, and NIST has already recommended[1] moving
> away from SHA-
On Tue, 2008-12-30 at 11:51 -0800, "Hal Finney" wrote:
> Therefore the highest priority should be for the six bad CAs to change
> their procedures, at least start using random serial numbers and move
> rapidly to SHA1. As long as this happens before Eurocrypt or whenever
> the results end up being
On Tue, 30 Dec 2008, Hal Finney wrote:
>
> - The attack relies on cryptographic advances in the state of the art for
>finding MD5 collisions from inputs with different prefixes. These advances
>are not yet being published but will presumably appear in 2009.
To insert a malicious "basicCon
At Tue, 30 Dec 2008 11:51:06 -0800 (PST),
"Hal Finney" wrote:
> Therefore the highest priority should be for the six bad CAs to change
> their procedures, at least start using random serial numbers and move
> rapidly to SHA1. As long as this happens before Eurocrypt or whenever
> the results end up
Re: http://www.win.tue.nl/hashclash/rogue-ca/
Key facts:
- 6 CAs were found still using MD5 in 2008: RapidSSL, FreeSSL, TC
TrustCenter AG, RSA Data Security, Thawte, verisign.co.jp. "Out of the
30,000 certificates we collected, about 9,000 were signed using MD5,
and 97% of those were is
Hello,
I wanted to chime in more during the previous x509 discussions but I was
delayed by some research.
I thought that I'd like to chime in that this new research about
attacking x509 is now released. We gave a talk about it at the 25c3
about an hour or two ago.
MD5 considered harmful
Hi all,
Today, 30 December 2008, at the 25th Annual Chaos Communication Congress in
Berlin,
we announced that we are currently in possession of a rogue Certification
Authority certificate. This certificate will be accepted as valid and trusted
by
all common browsers, because it appears to be si
30 matches
Mail list logo