Re: DSA key sizes

2000-07-12 Thread Pete Chown
Eric Rescorla wrote: SHA-1 is only 2^80 strong against birthday attack. If you go around using SHA-1 or worse yet MD5 to sign stuff then using a private key of size 1024 is only of limited value. If you want to forge a signature, you will probably not be able to use the birthday attack.

Re: MDC2 block size

2000-06-30 Thread Pete Chown
Burger, Kobus K wrote: I have noticed a couple of discrepancies between mainframe support for MDC2 and OpenSSL's support: * Mainframe supports MDC2 with various keys (The documentation notes that the default key is the same as the one used by OpenSSL) - Openssl has a single key

Re: Random Numbers in Client Hello and Server Hello

2000-06-21 Thread Pete Chown
Raghuram Belur wrote: I am wondering if it is possible to use some simple cross-platform [PRNG] on the client which is probably not too hard to guess and use a more robust mechanism such as an entropy gathering daemon on the server You will have to be very careful. For example, if you use

Re: RSA Patent Issues... interesting article...

2000-05-10 Thread Pete Chown
Geoff Thorpe wrote: Which leaves the mathematical consideration of the multi-prime keys themselves, and their generation, to be debated (ie. I doubt the patent could rest on an argument that it is a physical process, or an implementation invention, because that should bang its head on the

Re: openssl deperately needs some intro docs

2000-01-04 Thread Pete Chown
Leland V. Lammert wrote: I don't think you have placed OpenSSL in the proper perspective. OpenSSL is a *toolkit* used primarily with OTHER applications. Most toolkits have documentation, though. Developers need to know how to use the product just like anyone else. For an example, see the

Re: Seeking officers for Free-software-friendly CA

2000-01-04 Thread Pete Chown
Dr. Greg Quinn wrote: A big limitation as far as I can see would be getting certs pre-installed into web browsers. The chance of either MS or netscape doing this would be close to none. Yes. On the other hand, there is a way of giving people a trusted copy of the root certificate without

Re: sslified imap server

1999-12-02 Thread Pete Chown
Kristian Köhntopp wrote: Now, where do I find a free SSLified IMAP server, please? ;-) It depends if you want the old or new version of the protocol. The old version has a different port number for secured IMAP; the new one doesn't. If you want the new version, you could have a look at

ANNOUNCE: SafeGossip first beta

1999-11-22 Thread Pete Chown
At long last, here is the first beta release of SafeGossip, which implements the new RFCs and Internet drafts for telnet, FTP, IMAP, POP and SMTP over TLS. Here are some of the new features: * Telnet support is now implemented according to the Internet draft. * You can now configure SafeGossip

Re: Mapping Certs to local account names: is there a standard practice?

1999-11-03 Thread Pete Chown
Jeffrey Altman wrote: How are you mapping a client cert to a local Unix account name? Are you using a field within the cert? If so, which one(s)? Are different fields used for different services? Or are you using some form of Certificate MApping Service which takes a validated cert as

Re: using openssl like pgp

1999-10-22 Thread Pete Chown
Joe Pruett wrote: did you ever find a way to do this? i am just starting down the same road. pgp licensing is way out of control for commercial use nowadays ($9500!). If you want to do PGP-style messages for commercial use, you are probably best off with the GNU Privacy Guard

SafeGossip

1999-10-04 Thread Pete Chown
Some of you have been asking about my package which implements various protocols over TLS. Here is an alpha release. I have called the package SafeGossip, or Gossip for short. Currently the protocols implemented are FTP, telnet (sort of), IMAP, SMTP and POP. Gossip supports both the old and

Re: a task that I'm sure someone has solved

1999-09-28 Thread Pete Chown
Craig Idler wrote: Has someone done something like this in the past? It seems an ssl enabled telnet program could do this. It's so easy to use basic telnet talking to port 80, but using something that communicates with port 443 is a different story. Try "openssl s_client". This is similar

Re: What US companies need to know about RSA

1999-09-21 Thread Pete Chown
Dave Neuer wrote: RSADSI seem to have a propensity for casting information in a decidedly pro-RSADSI light. Kind of like the way they convinced the IETF that the licensing for RSA would always be "affordable and non-discriminatory." Interestingly one of the RFCs says that the licence fee is

Re: Signing external certs with local CA

1999-06-29 Thread Pete Chown
hat a user possesses a certificate. (It is often said that certificates should only be used to vouch for identity and not as a basis for access control decisions. Of course in practice people do not always keep to this.) --- Pete Ch

Re: Mapping Certs to local account names: is there a standard pra

1999-01-02 Thread Pete Chown
Michael Urban wrote: Perhaps a file mapping a certificate subject name to a local username is a better solution. The certificate can be used at sites with different usernames that aren't known at certificate issue time, and doesn't require extra baggage in the certificate. This might work