Rich Salz wrote:
Perhaps a few "best practices" papers are in order. They might help
the secure (distributed) computing field a great deal.
/r$
--
The new book, Practical Cryptography, by Niels Ferguson and
Bruce Schneier is useful.
regards,
Frederick
I thought the 3G (UMTS) cellphones at least were going to use reasonably good
crypto; don't know about the overall security architecture though.
Jaap-Henk
On Fri, 06 Jun 2003 14:30:04 -0400 Ian Grigg <[EMAIL PROTECTED]> writes:
> John Kelsey wrote:
>
>> So, what can I do about it, as an individu
James A. Donald wrote:
> Could you point me somewhere that illustates server issued
> certs, certification with zero administrator overhead and small
> end user overhead?
Been a while since I played with it, but IIRC OpenCA (www.openca.org) is a
full implimentation of a CA, in perl cgi, with no adm
my site has one.
ca0.net
..tom
> --
> On 7 Jun 2003 at 19:05, Dave Howe wrote:
> > issuing certs to someone is trivial from both a server and a
> > user endpoint - the user just gets a "click here to request
> > your key" and hits ok on a few dialog boxes; the server
> > simply hosts some pr
--
On 7 Jun 2003 at 19:05, Dave Howe wrote:
> issuing certs to someone is trivial from both a server and a
> user endpoint - the user just gets a "click here to request
> your key" and hits ok on a few dialog boxes; the server
> simply hosts some pretty off-the-shelf cgi.
>[...]
> its surpri
Anonymous Sender wrote:
> James A. Donald writes:
> E-Gold could set things up to allow its customers to authenticate with
> certs issued by Verisign, or with considerably more work it could even
> issue certs itself that could be used for customer authentication.
> Why doesn't it do so? Well, it'
Derek Atkins <[EMAIL PROTECTED]> writes:
>Actually, the ASN.1 part is a major factor in the X.509 interoperability
>problems. Different cert vendors include different extensions, or different
>encodings. They put different information into different parts of the
>certificate (or indeed the same
James A. Donald writes:
> Suppose the e-gold, to prevent this sea of spam trying to get
> people to login to fake e-gold sites, wanted people to use
> public keys instead of shared secrets, making your secret key
> the instrument that controls the account instead of your shared
> password.
>
>
Ian Grigg wrote:
>(Similar to GSM's. That is hard to attack,
>there is AFAIR no 'trival' attack, [...]
Just wait a little while.
By the way, one can already buy fake base stations that
mount man-in-the-middle attacks on GSM as a way to eavesdrop
on GSM calls. It's off the shelf, but it costs r
On Fri, 06 Jun 2003, James A. Donald wrote:
> Suppose the e-gold, to prevent this sea of spam trying to get
> people to login to fake e-gold sites, wanted people to use
> public keys instead of shared secrets, making your secret key
> the instrument that controls the account instead of your shared
--
James A. Donald:
> > Certificate caching is not the problem that needs solving.
> > The problem is all this spam attempting to fool people into
> > logging in to fake BofA websites and fake e-gold websites,
> > to steal their passwords or credit card numbers
On 6 Jun 2003 at 15:04, Tim Dier
At 04:24 PM 6/6/2003 -0700, James A. Donald wrote:
>I don't think so.
??? public key registered in place of shared-secret?
NACHA debit trials using digitally signed transactions did it with both
software keys as well as hardware tokens.
http://internetcouncil.nacha.org/News/news.html
in the abo
On Fri, Jun 06, 2003 at 06:08:34PM -0400, Ian Grigg wrote:
> Derik asks the pertinant question:
> > The question is: how do we convince M$ and Netscape to include something
> > else in their software? If it's not supported in IE, then it wont be
> > available to the vast majority of users out the
--
On 4 Jun 2003 at 20:58, Anne & Lynn Wheeler wrote:
> it is relatively trivial to demonstrate that public keys can
> be registered in every business process that currently
> registers shared- secrets (pins, passwords, radius, kerberos,
> etc, etc)
I don't think so.
Suppose the e-gold, to pr
Derik asks the pertinant question:
> The question is: how do we convince M$ and Netscape to include something
> else in their software? If it's not supported in IE, then it wont be
> available to the vast majority of users out there.
My view, again, IMHO: ignore Microsoft. Concentrate
on the o
[EMAIL PROTECTED] (Peter Gutmann) writes:
> Bodo Moeller <[EMAIL PROTECTED]> writes:
>
> >Using an explicit state machine helps to get code suitable for multiplexing
> >within a single thread various connections using non-blocking I/O.
>
> Is there some specific advantage here, or is it an acade
At 04:42 PM 6/4/2003 -0700, Eric Rescorla wrote:
>Nonsense. One can simply cache the certificate, exactly as
>one does with SSH. In fact, Mozilla at least does exactly
>this if you tell it to. The reason that this is uncommon
>is because the environments where HTTPS is used
>are generally spontaneo
At 10:09 PM 6/4/2003, James A. Donald wrote:
Eric Rescorla
> Nonsense. One can simply cache the certificate, exactly as
> one does with SSH. In fact, Mozilla at least does exactly
> this if you tell it to. The reason that this is uncommon is
> because the environments where HTTPS is used are genera
John Kelsey wrote:
> So, what can I do about it, as an individual? Make the cellphone companies
> build good crypto into their systems? Any ideas how to do that?
Nope. Cellphone companies are big slow moving
targets. They get their franchise from the
government. If the NSA wants weak crypto,
Eric Rescorla <[EMAIL PROTECTED]> writes:
> This isn't really true in the SSL case:
> To a first order, everyone ignores any extensions (except sometimes
> the constraints) and uses the CN for the DNS name of the server.
Except some CAs make certs that can only work as an SSL server and not
an SS
Derek Atkins <[EMAIL PROTECTED]> writes:
> Eric Murray <[EMAIL PROTECTED]> writes:
>
> > Too often people see something like Peter's statement above and say
> > "oh, it's that nasty ASN.1 in X.509 that is the problem, so we'll just
> > do it in XML instead and then it'll work fine" which is simpl
Eric Murray <[EMAIL PROTECTED]> writes:
> Too often people see something like Peter's statement above and say
> "oh, it's that nasty ASN.1 in X.509 that is the problem, so we'll just
> do it in XML instead and then it'll work fine" which is simply not true.
> The formatting of the certificates is
At 03:50 PM 6/3/03 -0700, Eric Blossom wrote:
...
GSM and CDMA phones come with the crypto enabled. The crypto's good
enough to keep out your neighbor (unless he's one of us) but if you're
that paranoid, you should opt for the end-to-end solution. The CDMA
stuff (IS-95) is pretty broken: *linear*
The White House Communications Agency is also working
hard to secure presidential communications, with legacy
systems needing ever-increasing maintenance and upgrades,
the market continuing to outpace the big-ticket legacy
clunker equipment, too expensive to chuck outright, yet having
flaws begging
hery
<[EMAIL PROTECTED]>, Rich Salz <[EMAIL PROTECTED]>,
Bill
Stewart <[EMAIL PROTECTED]>, cypherpunks <[EMAIL PROTECTED]>,
[EMAIL PROTECTED]
Subject: Re: Maybe It's Snake Oil All the Way Down
In-Reply-To: <[EMAIL PROTECTED]>
User-Agent: Mutt/1.4i
On Tue, J
g-To: [EMAIL PROTECTED]
CC: EKR <[EMAIL PROTECTED]>, Eric Murray <[EMAIL PROTECTED]>,
Scott Guthery
<[EMAIL PROTECTED]>, Rich Salz <[EMAIL PROTECTED]>,
Bill
Stewart <[EMAIL PROTECTED]>, cypherpunks <[EMAIL PROTECTED]>,
[EMAIL PROTECTED]
Subject: Re: M
hery
<[EMAIL PROTECTED]>, Rich Salz <[EMAIL PROTECTED]>,
Bill
Stewart <[EMAIL PROTECTED]>, cypherpunks <[EMAIL PROTECTED]>,
[EMAIL PROTECTED]
Subject: Re: Maybe It's Snake Oil All the Way Down
In-Reply-To: <[EMAIL PROTECTED]>
User-Agent: Mutt/1.4i
On Tue, J
Sampo Syreeni wrote:
>Rather it's the fact that the Big
>Brother doesn't have the necessary total funds, and so doesn't listen into
>a considerable proportion of calls as a whole.
Yet.
As far as we know.
:-)
I agree it's an economic issue, and law enforcement doesn't seem to
listen in on a con
On Monday, June 2, 2003, at 07:09 AM, Ian Grigg wrote:
PGP was also mildly successful, and was done by
one guy, PRZ. The vision was very clear. All others
had to do was to fix the bugs... Sadly, free versions
never quite made the jump into GUI mail clients, so
widespread success was denied to
At 08:32 PM 5/31/03 -0400, Scott Guthery wrote:
>Hello, Rich ...
>
>When I drill down on the many pontifications made by computer
>security and cryptography experts all I find is given wisdom. Maybe
>the reason that folks roll their own is because as far as they can see
>that's what everyone does.
30 matches
Mail list logo