Re: Maybe It's Snake Oil All the Way Down

Rich Salz wrote: Perhaps a few "best practices" papers are in order. They might help the secure (distributed) computing field a great deal. /r$ -- The new book, Practical Cryptography, by Niels Ferguson and Bruce Schneier is useful. regards, Frederick

Re: Maybe It's Snake Oil All the Way Down

I thought the 3G (UMTS) cellphones at least were going to use reasonably good crypto; don't know about the overall security architecture though. Jaap-Henk On Fri, 06 Jun 2003 14:30:04 -0400 Ian Grigg <[EMAIL PROTECTED]> writes: > John Kelsey wrote: > >> So, what can I do about it, as an individu

Re: Maybe It's Snake Oil All the Way Down

James A. Donald wrote: > Could you point me somewhere that illustates server issued > certs, certification with zero administrator overhead and small > end user overhead? Been a while since I played with it, but IIRC OpenCA (www.openca.org) is a full implimentation of a CA, in perl cgi, with no adm

Re: Maybe It's Snake Oil All the Way Down

my site has one. ca0.net ..tom > -- > On 7 Jun 2003 at 19:05, Dave Howe wrote: > > issuing certs to someone is trivial from both a server and a > > user endpoint - the user just gets a "click here to request > > your key" and hits ok on a few dialog boxes; the server > > simply hosts some pr

Re: Maybe It's Snake Oil All the Way Down

-- On 7 Jun 2003 at 19:05, Dave Howe wrote: > issuing certs to someone is trivial from both a server and a > user endpoint - the user just gets a "click here to request > your key" and hits ok on a few dialog boxes; the server > simply hosts some pretty off-the-shelf cgi. >[...] > its surpri

Re: Maybe It's Snake Oil All the Way Down

Anonymous Sender wrote: > James A. Donald writes: > E-Gold could set things up to allow its customers to authenticate with > certs issued by Verisign, or with considerably more work it could even > issue certs itself that could be used for customer authentication. > Why doesn't it do so? Well, it'

Re: Maybe It's Snake Oil All the Way Down

Derek Atkins <[EMAIL PROTECTED]> writes: >Actually, the ASN.1 part is a major factor in the X.509 interoperability >problems. Different cert vendors include different extensions, or different >encodings. They put different information into different parts of the >certificate (or indeed the same

Re: Maybe It's Snake Oil All the Way Down

James A. Donald writes: > Suppose the e-gold, to prevent this sea of spam trying to get > people to login to fake e-gold sites, wanted people to use > public keys instead of shared secrets, making your secret key > the instrument that controls the account instead of your shared > password. > >

Re: Maybe It's Snake Oil All the Way Down

Ian Grigg wrote: >(Similar to GSM's. That is hard to attack, >there is AFAIR no 'trival' attack, [...] Just wait a little while. By the way, one can already buy fake base stations that mount man-in-the-middle attacks on GSM as a way to eavesdrop on GSM calls. It's off the shelf, but it costs r

Re: CDR: Re: Maybe It's Snake Oil All the Way Down

On Fri, 06 Jun 2003, James A. Donald wrote: > Suppose the e-gold, to prevent this sea of spam trying to get > people to login to fake e-gold sites, wanted people to use > public keys instead of shared secrets, making your secret key > the instrument that controls the account instead of your shared

Re: Maybe It's Snake Oil All the Way Down

-- James A. Donald: > > Certificate caching is not the problem that needs solving. > > The problem is all this spam attempting to fool people into > > logging in to fake BofA websites and fake e-gold websites, > > to steal their passwords or credit card numbers On 6 Jun 2003 at 15:04, Tim Dier

Re: Maybe It's Snake Oil All the Way Down

At 04:24 PM 6/6/2003 -0700, James A. Donald wrote: >I don't think so. ??? public key registered in place of shared-secret? NACHA debit trials using digitally signed transactions did it with both software keys as well as hardware tokens. http://internetcouncil.nacha.org/News/news.html in the abo

Re: Maybe It's Snake Oil All the Way Down

On Fri, Jun 06, 2003 at 06:08:34PM -0400, Ian Grigg wrote: > Derik asks the pertinant question: > > The question is: how do we convince M$ and Netscape to include something > > else in their software? If it's not supported in IE, then it wont be > > available to the vast majority of users out the

Re: Maybe It's Snake Oil All the Way Down

-- On 4 Jun 2003 at 20:58, Anne & Lynn Wheeler wrote: > it is relatively trivial to demonstrate that public keys can > be registered in every business process that currently > registers shared- secrets (pins, passwords, radius, kerberos, > etc, etc) I don't think so. Suppose the e-gold, to pr

Re: Maybe It's Snake Oil All the Way Down

Derik asks the pertinant question: > The question is: how do we convince M$ and Netscape to include something > else in their software? If it's not supported in IE, then it wont be > available to the vast majority of users out there. My view, again, IMHO: ignore Microsoft. Concentrate on the o

Re: Maybe It's Snake Oil All the Way Down

[EMAIL PROTECTED] (Peter Gutmann) writes: > Bodo Moeller <[EMAIL PROTECTED]> writes: > > >Using an explicit state machine helps to get code suitable for multiplexing > >within a single thread various connections using non-blocking I/O. > > Is there some specific advantage here, or is it an acade

Re: Maybe It's Snake Oil All the Way Down

At 04:42 PM 6/4/2003 -0700, Eric Rescorla wrote: >Nonsense. One can simply cache the certificate, exactly as >one does with SSH. In fact, Mozilla at least does exactly >this if you tell it to. The reason that this is uncommon >is because the environments where HTTPS is used >are generally spontaneo

Re: Maybe It's Snake Oil All the Way Down

At 10:09 PM 6/4/2003, James A. Donald wrote: Eric Rescorla > Nonsense. One can simply cache the certificate, exactly as > one does with SSH. In fact, Mozilla at least does exactly > this if you tell it to. The reason that this is uncommon is > because the environments where HTTPS is used are genera

Re: Maybe It's Snake Oil All the Way Down

John Kelsey wrote: > So, what can I do about it, as an individual? Make the cellphone companies > build good crypto into their systems? Any ideas how to do that? Nope. Cellphone companies are big slow moving targets. They get their franchise from the government. If the NSA wants weak crypto,

Re: Maybe It's Snake Oil All the Way Down

Eric Rescorla <[EMAIL PROTECTED]> writes: > This isn't really true in the SSL case: > To a first order, everyone ignores any extensions (except sometimes > the constraints) and uses the CN for the DNS name of the server. Except some CAs make certs that can only work as an SSL server and not an SS

Re: Maybe It's Snake Oil All the Way Down

Derek Atkins <[EMAIL PROTECTED]> writes: > Eric Murray <[EMAIL PROTECTED]> writes: > > > Too often people see something like Peter's statement above and say > > "oh, it's that nasty ASN.1 in X.509 that is the problem, so we'll just > > do it in XML instead and then it'll work fine" which is simpl

Re: Maybe It's Snake Oil All the Way Down

Eric Murray <[EMAIL PROTECTED]> writes: > Too often people see something like Peter's statement above and say > "oh, it's that nasty ASN.1 in X.509 that is the problem, so we'll just > do it in XML instead and then it'll work fine" which is simply not true. > The formatting of the certificates is

Re: Maybe It's Snake Oil All the Way Down

At 03:50 PM 6/3/03 -0700, Eric Blossom wrote: ... GSM and CDMA phones come with the crypto enabled. The crypto's good enough to keep out your neighbor (unless he's one of us) but if you're that paranoid, you should opt for the end-to-end solution. The CDMA stuff (IS-95) is pretty broken: *linear*

Re: Maybe It's Snake Oil All the Way Down

The White House Communications Agency is also working hard to secure presidential communications, with legacy systems needing ever-increasing maintenance and upgrades, the market continuing to outpace the big-ticket legacy clunker equipment, too expensive to chuck outright, yet having flaws begging

[eb@comsec.com: Re: Maybe It's Snake Oil All the Way Down]

hery <[EMAIL PROTECTED]>, Rich Salz <[EMAIL PROTECTED]>, Bill Stewart <[EMAIL PROTECTED]>, cypherpunks <[EMAIL PROTECTED]>, [EMAIL PROTECTED] Subject: Re: Maybe It's Snake Oil All the Way Down In-Reply-To: <[EMAIL PROTECTED]> User-Agent: Mutt/1.4i On Tue, J

[eay@pobox.com: Re: Maybe It's Snake Oil All the Way Down]

g-To: [EMAIL PROTECTED] CC: EKR <[EMAIL PROTECTED]>, Eric Murray <[EMAIL PROTECTED]>, Scott Guthery <[EMAIL PROTECTED]>, Rich Salz <[EMAIL PROTECTED]>, Bill Stewart <[EMAIL PROTECTED]>, cypherpunks <[EMAIL PROTECTED]>, [EMAIL PROTECTED] Subject: Re: M

[eb@comsec.com: Re: Maybe It's Snake Oil All the Way Down]

hery <[EMAIL PROTECTED]>, Rich Salz <[EMAIL PROTECTED]>, Bill Stewart <[EMAIL PROTECTED]>, cypherpunks <[EMAIL PROTECTED]>, [EMAIL PROTECTED] Subject: Re: Maybe It's Snake Oil All the Way Down In-Reply-To: <[EMAIL PROTECTED]> User-Agent: Mutt/1.4i On Tue, J

Re: CDR: Re: Maybe It's Snake Oil All the Way Down

Sampo Syreeni wrote: >Rather it's the fact that the Big >Brother doesn't have the necessary total funds, and so doesn't listen into >a considerable proportion of calls as a whole. Yet. As far as we know. :-) I agree it's an economic issue, and law enforcement doesn't seem to listen in on a con

Re: Maybe It's Snake Oil All the Way Down

On Monday, June 2, 2003, at 07:09 AM, Ian Grigg wrote: PGP was also mildly successful, and was done by one guy, PRZ. The vision was very clear. All others had to do was to fix the bugs... Sadly, free versions never quite made the jump into GUI mail clients, so widespread success was denied to

Re: Maybe It's Snake Oil All the Way Down

At 08:32 PM 5/31/03 -0400, Scott Guthery wrote: >Hello, Rich ... > >When I drill down on the many pontifications made by computer >security and cryptography experts all I find is given wisdom. Maybe >the reason that folks roll their own is because as far as they can see >that's what everyone does.