On 21/08/2009 20:30, Ellen Chan wrote:
Hi again Ian,
Yes I can appreciate that there are priorities and you're reluctant to
get into something overly complex.
Well, I won't be coding it :) I'm just offering my opinion, which we
might recognise as being polarised against the majority here.
Hello Justin,
On 20/08/2009 17:45, Justin wells wrote:
Hi Ian,
Thanks for your reply! It's very enlightening, and I do agree that in
the real world there are a lot of issues other than the cryptographic
issues. Just to be sure, I am not suggesting that the weakest link
should be as strong as
Hi again Ian,
Yes I can appreciate that there are priorities and you're reluctant to
get into something overly complex. It's probably wise then to drop any
attempt to have the application sort out which is the weaker link and
instead just bubble that information up to the user, so that they can
Right, so from that RFC:
Note that higher layers should not be overly reliant on TLS always
negotiating the strongest possible connection between two peers:
there are a number of ways a man in the middle attacker can attempt
to make two entities drop down to the least secure method they
On 19/08/2009 20:30, Justin wells wrote:
Plainly the concern is that 256 bit AES does you no good if they AES
keys were exchanged insecurely. The security of the connection is the
lesser of the security of the content encryption, and the security of
the key agreement protocol
Yes, this is
Hi Ian,
Thanks for your reply! It's very enlightening, and I do agree that in
the real world there are a lot of issues other than the cryptographic
issues. Just to be sure, I am not suggesting that the weakest link
should be as strong as the strongest link. I am just trying to
understand how weak
Justin makes some valid points.
Risk-management in the future is going to increasingly be about
transparency and disclosure. As long as Firefox and Thunderbird
provide information about the strengths of different keys in
the SSL/TLS negotiation, Mozilla will be advancing the cause of
better
On 2009-08-19 11:30 PDT, Justin wells wrote:
Hi all,
When I visit an HTTPS link I can see what strength of encryption is
used to encrypt the content (e.g., 256 bit AES) and if I dig a little
I can even see the strength of the certificate used for authentication
(e.g., 1024 bit RSA). What I
8 matches
Mail list logo