Re: [cryptography] Symantec/Verisign DV certs issued with excessive validity period of 6 years

2012-04-24 Thread Thor Lancelot Simon
On Tue, Apr 24, 2012 at 12:07:33PM -0500, Nico Williams wrote: > On Tue, Apr 24, 2012 at 11:20 AM, Marsh Ray wrote: > > On 04/23/2012 08:47 PM, Peter Maxwell wrote: > > I look at it this way: > > > > * Revocation is junk. It doesn't work. It especially doesn't work when an > > attacker wants it no

Re: [cryptography] Symantec/Verisign DV certs issued with excessive validity period of 6 years

2012-04-24 Thread Peter Maxwell
On 24 April 2012 17:20, Marsh Ray wrote: > On 04/23/2012 08:47 PM, Peter Maxwell wrote: > >> >> On 23 April 2012 22:41, Marsh Ray > > wrote: >> >>Do you all agree with my assertion that "No one with a clue about >>PKI security would believe that a revoked

Re: [cryptography] Symantec/Verisign DV certs issued with excessive validity period of 6 years

2012-04-24 Thread Nico Williams
On Tue, Apr 24, 2012 at 11:20 AM, Marsh Ray wrote: > On 04/23/2012 08:47 PM, Peter Maxwell wrote: > I look at it this way: > > * Revocation is junk. It doesn't work. It especially doesn't work when an > attacker wants it not to work. > > It is so broken that Chrome isn't even going to bother with

Re: [cryptography] Symantec/Verisign DV certs issued with excessive validity period of 6 years

2012-04-24 Thread Marsh Ray
On 04/23/2012 08:47 PM, Peter Maxwell wrote: On 23 April 2012 22:41, Marsh Ray mailto:ma...@extendedsubset.com>> wrote: Do you all agree with my assertion that "No one with a clue about PKI security would believe that a revoked cert provides equivalent security from misuse as a natu

Re: [cryptography] NIST and other organisations that set up standards in information security & cryptography. (was: Doubts over necessity of SHA-3 cryptography standard)

2012-04-24 Thread Peter Maxwell
On 23 April 2012 19:53, David Adamson wrote: > On 4/23/12, Steven Bellovin wrote: > > > > On Apr 23, 2012, at 12:51 14PM, David Adamson wrote: > > > >> > >> Unfortunately, also I do not see any more improvements of the > >> implementations of other SHA-3 candidates that did not enter 2-nd and >

[cryptography] what do you get when you combine Phil Zimmermann, Jon Callas, and a couple of ex-Navy SEALs?

2012-04-24 Thread Zooko Wilcox-O'Hearn
http://allthingsd.com/20120423/pgp-creator-phil-zimmerman-has-a-new-venture-called-silent-circle/ https://silentcircle.com/ Continually nowadays I think I'm living in one of the science fiction novels of my youth. This one is by Neal Stephenson, I think. Regards, Zooko _