[cryptography] Speaking of key management [was Re: Techniques for protecting CA Root certificate Secret]

2014-01-09 Thread Joe St Sauver
Hi, Those who are interested in key management may wish to note: Cryptographic Key Management Workshop 2014 http://www.nist.gov/itl/csd/ct/ckm_workshop2014.cfm March 4-5, 2014, NIST, Gaithersburg MD See also: SP 800-152 DRAFT A Profile for U. S. Federal Cryptographic Key

Re: [cryptography] Techniques for protecting CA Root certificate Secret Key

2014-01-08 Thread Joe St Sauver
Paul Fraser asked: #Software and physical safe keeping of Root CA secret key are central to #security of a large set of issued certificates. # #Are there any safe techniques for handling this problem taking into account the #need to not have the control in the hands of one person? # #Any links

Re: [cryptography] Client TLS Certificates - why not?

2013-03-04 Thread Joe St Sauver
Hi, strife asked: #Can anyone enlighten me why client TLS certificates are used so rarely? It #used to be a hassle in the past, but now at least the major browsers offer #quite decent client cert support, Not quite seeing eye-to-eye with you on the quite decent client cert support point, I'm

Re: [cryptography] can the German government read PGP and ssh traffic?

2012-06-02 Thread Joe St Sauver
ianG asked: #Would it be possible to describe in general words what LOA-1 thru 4 entails? I hesitate to try to do so. The definitive answer can be found in http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf and includes many subtle and important points, but just to focus

Re: [cryptography] Security Pop-Up of the Day

2011-09-21 Thread Joe St Sauver
Chris Palmer commented: # Well, its obviously not quite that easy yet, but users can currently get # a free client cert by visiting a web page and filling out a form, and # #IanG's point was that there should be no web page, no form. You know #how sshd generates a host key when there isn't one

Re: [cryptography] Math corrections

2011-09-18 Thread Joe St Sauver
Ian asked: #Right -- how to fix the race to the bottom? Wasn't that supposed to be part of the Extended Validation solution? If it has failed at that, and I could see arguments either way, the other natural solution is probably government regulation. It likely wouldn't be pretty, but imagine:

Re: [cryptography] [SSL Observatory] After the dust settles -- what happens next? (v. Long)

2011-09-12 Thread Joe St Sauver
Peter Gutmann pgut...@cs.auckland.ac.nz commented: #[0] I'm being conservative here, in practice I don't recall seeing anyone #expressing faith in PKI, but I didn't read every one of the vast numbers #of comments. Well, I'd suggest that NIST 800-63