Web Security Company Takes No Prisoners
http://www.nytimes.com/2002/01/14/technology/ebusiness/14SECU.html?pagewanted=print January 14, 2002 Web Security Company Takes No Prisoners By CHRISTINE BLANK s a former airborne infantry officer in the Army, Clarence Briggs was trained to protect the country from foreign enemies. Now, he is using those specialized skills to protect his company, Advanced Internet Technologies, from hackers, competitors and disgruntled employees. Surrounding the company's property in Fayetteville, N.C., is coiled razor wire atop a six-foot chain-link fence. The buildings have eight-inch- thick concrete walls and are patrolled by uniformed guards with ready access to firearms. Mr. Briggs explained that he did not want competitors to steal server computers or data - something he said he had seen at other companies that like his, serve as hosts for client's Web sites. Mr. Briggs, who founded the privately held company six years ago along with other former military people, has also installed video cameras, created password access to secured areas, locked sensitive documents in a vault and insisted on extensive employee background checks. He said such measures were necessary to protect the 32,000 Web sites the company operates for companies based in this country and abroad. Security must absolutely pervade an organization, especially an I.T. organization, Mr. Briggs said, using an abbreviation for information technology. Most I.T. organizations don't even know how bad they get hurt - until it's too late. He says that the company, which is generally known as A.I.T., deals with several attempted network hacker attacks a day. Fortifications include A.I.T.'s custom-made firewall software, vigilant surveillance by the staff - most of whom are military veterans with extensive technical training. If I catch you, no expense is too great for me to come after you, and I will make your life miserable, Mr. Briggs, a former major, said. The A.I.T. team tracks down perpetrators, then either phones them or sends representatives from the company or local law enforcement agencies to warn against further attempts. We employ a lot of little traps to track folks that access our network, Mr. Briggs said. We use the typical ambush techniques. The company is so confident of its preparedness that it plans to offer a security service for corporations this spring. The program, Mr. Briggs said, will be modeled on A.I.T.'s mix of physical and electronic security, along with a rapid deployment team that can be quickly dispatched to deal with security breaches. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: CFP: PKI research workshop
Ben Laurie [EMAIL PROTECTED] writes: Michael Sierchio wrote: Carl Ellison wrote: If that's not good enough for you, go to https://store.palm.com/ where you have an SSL secured page. SSL prevents a man in the middle attack, right? This means your credit card info goes to Palm Computing, right? Check the certificate. To be fair, most commercial CA's require evidence of right to use a FQDN in an SSL server cert. But your point is apt. And most (all?) commercial CAs then disclaim any responsibility for having actually checked that right correctly... While this is true, I'd point out that all the security software you're using disclaims any responsibility for not having gaping security holes. -Ekr -- [Eric Rescorla [EMAIL PROTECTED]] http://www.rtfm.com/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: CFP: PKI research workshop
Eric Rescorla writes: Ben Laurie [EMAIL PROTECTED] writes: Michael Sierchio wrote: Carl Ellison wrote: If that's not good enough for you, go to https://store.palm.com/ where you have an SSL secured page. SSL prevents a man in the middle attack, right? This means your credit card info goes to Palm Computing, right? Check the certificate. To be fair, most commercial CA's require evidence of right to use a FQDN in an SSL server cert. But your point is apt. And most (all?) commercial CAs then disclaim any responsibility for having actually checked that right correctly... While this is true, I'd point out that all the security software you're using disclaims any responsibility for not having gaping security holes. If an automaker disclaimed liability for a vehicle, and a negligent design or manufacture resulted in injury or loss, it is my understanding that the liability disclaimer notwithstanding, the automaker would be held responsible. Why do we believe that the same would not be the case for software? Paul Ward - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: CFP: PKI research workshop
[EMAIL PROTECTED] writes: Eric Rescorla writes: Ben Laurie [EMAIL PROTECTED] writes: And most (all?) commercial CAs then disclaim any responsibility for having actually checked that right correctly... While this is true, I'd point out that all the security software you're using disclaims any responsibility for not having gaping security holes. If an automaker disclaimed liability for a vehicle, and a negligent design or manufacture resulted in injury or loss, it is my understanding that the liability disclaimer notwithstanding, the automaker would be held responsible. Why do we believe that the same would not be the case for software? In that case, why should the liability also apply to CAs, despite their disclaimers? -Ekr -- [Eric Rescorla [EMAIL PROTECTED]] http://www.rtfm.com/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: CFP: PKI research workshop
[EMAIL PROTECTED] writes: Eric Rescorla writes: [EMAIL PROTECTED] writes: If an automaker disclaimed liability for a vehicle, and a negligent design or manufacture resulted in injury or loss, it is my understanding that the liability disclaimer notwithstanding, the automaker would be held responsible. Why do we believe that the same would not be the case for software? In that case, why should the liability also apply to CAs, despite their disclaimers? Do you mean why should, or why shouldn't? If the latter, then, sure, I believe it should. People running around in business selling products and services and then disclaiming any liability with regard to their performance _for_their_intended_task_ is, IMHO, wrong. Right. My point is this: Security people often argue that PKI is worthless on the grounds that the CAs disclaim all liability. This argument leads to the conclusion that security is essentially worthless since scurity software almost invariably comes with a disclaimer of all liability. -Ekr -- [Eric Rescorla [EMAIL PROTECTED]] http://www.rtfm.com/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: CFP: PKI research workshop
[EMAIL PROTECTED] wrote: If an automaker disclaimed liability for a vehicle, and a negligent design or manufacture resulted in injury or loss, it is my understanding that the liability disclaimer notwithstanding, the automaker would be held responsible. Why do we believe that the same would not be the case for software? Because insufficient case law exists -- some lawyers are bright enough to see pools of liability with software, esp. known vulnerabilities used in DDOS, etc. -- and we technologists are not a litigious bunch. What do you call someone who had a C average in law school? Your honor. That's probably the other problem. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: CFP: PKI research workshop
Eric Rescorla wrote: Ben Laurie [EMAIL PROTECTED] writes: Michael Sierchio wrote: Carl Ellison wrote: If that's not good enough for you, go to https://store.palm.com/ where you have an SSL secured page. SSL prevents a man in the middle attack, right? This means your credit card info goes to Palm Computing, right? Check the certificate. To be fair, most commercial CA's require evidence of right to use a FQDN in an SSL server cert. But your point is apt. And most (all?) commercial CAs then disclaim any responsibility for having actually checked that right correctly... While this is true, I'd point out that all the security software you're using disclaims any responsibility for not having gaping security holes. I have the source to all the security software I'm using... in fact, I wrote quite a lot of it :-) Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: CFP: PKI research workshop
Does a user of ssl services care to know absolutely that they are communicating verifiably with whom they believe they have contacted, or does the user care to know absolutely that their communication is completely private? I believe that the latter is most important; transparency through certificate presentation is kept deliberately expensive and is, as has been noted, often disclaimed by CAs, and is compromisable. It's an artificial system of site security perpetuated by the interests of commercial browsers. Why can't self-verification be promoted? Why can't an nslookup call be built into certificate presentations? Yeah I know there's no money in it and certs are one of the few things that actually makes money on the net, but sometimes the built-in dumbing of the commercial internet user by their browser goes too far. The pure truth of mathematical encryption is sold and packaged as a certificate to the internet user, when in fact its power and utility is free of charge, and it is only disclaimed with respect to future or unknown developments. Stef Caunter [EMAIL PROTECTED] ## $ find /self -ctime +1 ## - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: CFP: PKI research workshop
[EMAIL PROTECTED] wrote: ... People running around in business selling products and services and then disclaiming any liability with regard to their performance _for_their_intended_task_ is, IMHO, wrong. IMHO this presents an unsophisticated notion of right versus wrong. By way of analogy: Suppose you go skiing in Utah. A rut left by a previous skier causes you to fall and break your leg, or worse. Now everybody involved has been using the ski area _in_the_intended_manner_ yet something bad happened. So who is liable? The ski area could have groomed that trail, but they didn't. They could have enforced a speed limit, but they didn't. They could at least have bought insurance to cover you, but they didn't. They simply disclaimed all liability for your injury. Not only is this disclaimer a matter of contract (a condition of sale of the lift ticket) it is codified in Utah state law. Other states are similar. If you don't like it, don't ski. Returning to PKI in particular and software defects in particular: Let's not make this a Right-versus-Wrong issue. There are intricate and subtle issues here. Most of these issues are negotiable. In particular, you can presumably get somebody to insure your whole operation, for a price. In the grand scheme of things, it doesn't matter very much whether you (the PKI buyer/user) obtain the insurance directly, or whether the other party (the PKI maker/vendor) obtains the insurance and passes the cost on to you. The insurer doesn't much care; the risk is about the same either way. The fact is that today most people choose to self-insure for PKI defects. If you don't like it, you have many options: -- Call up some PKI vendor(s) and negotiate for better warranty terms. Let us know what this does to the price. -- Call up http://www.napslo.org/ or some such and get your own insurance. Let us know the price. -- Write your own PKI. Then defray costs, if desired, by becoming a vendor. -- Et cetera. In general, there is a vast gray area between Right and Wrong. Most things in my life can be described as not perfect, but way better than nothing. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: CFP: PKI research workshop
At 10:49 AM 1/12/02 -0800, Carl Ellison wrote: If that's not good enough for you, go to https://store.palm.com/ where you have an SSL secured page. SSL prevents a man in the middle attack, right? This means your credit card info goes to Palm Computing, right? Check the certificate. More demos: You can create your own cert with TinySSL, a lightweight ( 100Kbyte) server for Wintel, http://www.ritlabs.com/tinyweb/tinyssl.html and amuse your friends if they bother to read the info there. Using trademarks (RSA, Verisign, etc.) in the fields would escape most. Or, as the TinySSL docs advise, you can get a free cert from Thawte --which *in fact* certifies only that you can receive email at the address you gave them. As others have written, great for enabling SSL's confidentiality, nothing else. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: CFP: PKI research workshop
- Original Message - From: Eric Rescorla [EMAIL PROTECTED] To: Stef Caunter [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; SPKI Mailing List [EMAIL PROTECTED] Sent: Monday, January 14, 2002 12:44 PM Subject: Re: CFP: PKI research workshop Stef Caunter [EMAIL PROTECTED] writes: Does a user of ssl services care to know absolutely that they are communicating verifiably with whom they believe they have contacted, or does the user care to know absolutely that their communication is completely private? These are inextricably connected. If you want to know that your communications are private in the face of active attack you need to know who you're talking to as well. They may be connected, but save and except in the case of active man-in-the-middle attack I maintain that ssl's confidentiality, which is free, is what sells certificates. I use a free Thawte email cert for confidential communication; my identity is verified through their notarization system, again free. I believe that the latter is most important; transparency through certificate presentation is kept deliberately expensive and is, as has been noted, often disclaimed by CAs, and is compromisable. It's an artificial system of site security perpetuated by the interests of commercial browsers. How exactly does the difficulty of getting certificates help browser manufacturers? Browsers have CA root trust hard-coded into them. All commerce sites rely on their use and code with their use in mind. The commercial browser manufacturers also sell certificates. It is clearly difficult to engage in encrypted commerce without a major client browser development kit and a CA provided cert. The appearance of ease-of-use with a commercial certificate and commercial browser implies _greatly_ that thing which is explicitly _disclaimed_ by these people. Why can't self-verification be promoted? Why can't an nslookup call be built into certificate presentations? What are you talking about? An nslookup call wouldn't help anything. Why not? A self-generated certificate correlating to an ns and whois record pointing to an active business with a human to answer inquiries seems reasonable and no more disclaimable than CA evasiveness. The essential problem is establishing that the public key you receive over the network actually belongs to the person you think it does. In the absence of a prior arrangement, the only way we know how to do this is to have that binding vouched for by a third-party. Yes. Trust can be earned and vouched for by other third parties. Trust points are a commonly used method on the big auction sites. The Thawte Web of Trust works without the blessing of a financial transaction. I'm interested; why do we feel we have to point at something we bought to facilitate ssl transactions? Commercial browser and commercial security interests often promulgate the anxiety they claim to alleviate. SC -Ekr -- [Eric Rescorla [EMAIL PROTECTED]] http://www.rtfm.com/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
From epayments news
--- begin forwarded text Status: U Date: Mon, 14 Jan 2002 10:03:42 -0800 Subject: From epayments news From: Somebody To: R. Hettinga [EMAIL PROTECTED] Fujitsu Transaction Solutions Inc. will unveil a new handheld computer next week designed for retailers. The Fujitsu iPAD, a compact, Microsoft Windows CE .NET-based mobile device, available in mid-2002, will combine a scanner, magnetic- and smart-card reader, keypad with encryption capabilities, and phone capability. The devices are intended to give retailers a complete, wireless retail appliance. iPAD can be used for inventory management, debit transactions, price verifications, phone calls, line busting, mobile POS and gift registry. The product uses an Intel processor and can support any 802.11b wireless LAN infrastructure. With 'Windows CE .NET', iPAD will support both XML and VoIP. 802.11b capable as well as a magstripe reader? Perfect retail device for skimmers don't you think? (PS If you do forward this, zap my name OK?) Somebody --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
True Names reviewed on /.
--- begin forwarded text Status: U From: Trei, Peter [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: True Names reviewed on /. Date: Mon, 14 Jan 2002 14:08:57 -0500 Sender: [EMAIL PROTECTED] http://slashdot.org/books/01/12/27/1845203.shtml 'michael' has reviewed True Names and The Opening of the Cyberspace Frontier over on slashdot. I won't discuss the review or the book in detail other than to say that the book should be considered Required Reading, and the review is also good. michael has this to say about our Resident Author: Timothy May, who is perhaps best known for his ranting posts about crypto anarchy, has a lengthy and astonishingly well-written essay titled True Nyms and Crypto Anarchy. The essay reads as if an editor with a firm hand extracted most of May's characteristic wild-eyed prose and yet kept the insightful ideas behind it - if only all of his writing was like this essay. It's a great introduction to what May means by crypto anarchy. May is one of the most optimistic writers in the book, and he, as well as the other writers, believe that we are at a fork: either we'll move toward a surveillance state, or toward what May calls an anarcho-capitalist state, but the middle ground is unstable - we'll end up at one extreme or the other. May believes we're already firmly on the road toward anarcho-crypto-utopia. Peter Trei This e-mail, its content and any files transmitted with it are intended solely for the addressee(s) and are PRIVILEGED and CONFIDENTIAL. Access by any other party is unauthorized without the express prior written permission of the sender. If you have received this e-mail in error you may not copy, disclose to any third party or use the contents, attachments or information in any way, Please delete all copies of the e-mail and the attachment(s), if any and notify the sender. Thank You. --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: CFP: PKI research workshop
Stef Caunter [EMAIL PROTECTED] writes: Stef Caunter [EMAIL PROTECTED] writes: Does a user of ssl services care to know absolutely that they are communicating verifiably with whom they believe they have contacted, or does the user care to know absolutely that their communication is completely private? These are inextricably connected. If you want to know that your communications are private in the face of active attack you need to know who you're talking to as well. They may be connected, but save and except in the case of active man-in-the-middle attack I maintain that ssl's confidentiality, which is free, is what sells certificates. This is confused. What sells certificates is security. Users aren't sophisticated enough to understand the difference between confidentiality and authentication, but they've been told by the browser manufacturers (rightly) that in order to have security they need to have certificates. Saying that SSL without certificates is fine as long as you don't have active attacks is kind of like saying that leaving your front door open is fine as long as noone tries to break in. I use a free Thawte email cert for confidential communication; my identity is verified through their notarization system, again free. This is essentially the PGP model. It doesn't really work acceptably for large scale e-commerce. I believe that the latter is most important; transparency through certificate presentation is kept deliberately expensive and is, as has been noted, often disclaimed by CAs, and is compromisable. It's an artificial system of site security perpetuated by the interests of commercial browsers. How exactly does the difficulty of getting certificates help browser manufacturers? Browsers have CA root trust hard-coded into them. All commerce sites rely on their use and code with their use in mind. The commercial browser manufacturers also sell certificates. Since when? As far as I know, Microsoft and Netscape just send you to VeriSign. It is clearly difficult to engage in encrypted commerce without a major client browser development kit and a CA provided cert. It certainly isn't true that you need a major client browser development kit to engage in e-commerce. You can do just fine with ApacheSSL or mod_ssl. You do generally need a certificate. Why can't self-verification be promoted? Why can't an nslookup call be built into certificate presentations? What are you talking about? An nslookup call wouldn't help anything. Why not? A self-generated certificate correlating to an ns and whois record pointing to an active business with a human to answer inquiries seems reasonable and no more disclaimable than CA evasiveness. Both DNS and whois can be spoofed by an active attacker. -Ekr -- [Eric Rescorla [EMAIL PROTECTED]] http://www.rtfm.com/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: CFP: PKI research workshop
At 09:44 AM 1/14/2002 -0800, Eric Rescorla wrote:
Stef Caunter [EMAIL PROTECTED] writes:
Does a user of ssl services care to know absolutely that they are
communicating verifiably with whom they believe they have contacted, or does
the user care to know absolutely that their communication is completely
private?
These are inextricably connected. If you want to know that
your communications are private in the face of active attack
you need to know who you're talking to as well.
Of course you do. That's why https://store.palm.com/ is such a problem. You thought
you were talking to (and wanted to talk to) Palm Computing, just like the logos and
page layout said you were. You're not. You're talking to a MITM. Palm hired them to
run the store? The certificates don't say that.
[snip]
Why can't self-verification be promoted? Why can't an nslookup call be built
into certificate presentations?
What are you talking about? An nslookup call wouldn't help anything.
The essential problem is establishing that the public key you receive
over the network actually belongs to the person you think it does.
In the absence of a prior arrangement, the only way we know how
to do this is to have that binding vouched for by a third-party.
Actually, Eric, the third party might confuse that for you. The function it performs
with respect to naming is not totally unlike the function of early anonymizers. The
TTP chooses a name to bind to the public key that might have only a tenuous relation
to the name by which you know the keyholder. As a result, when you do a name
comparison between the certificate Subject and what you know about this person, the
person you think it does, you may have to make a guess about whether the match is
correct.
Here we spend all this effort to reduce the probability of error, in the cryptography,
to values like 2^{-128} and then make the security decision depend just as much on a
guess with a much greater probability of error. From the point of view of error
probability, we should have left out the cryptographic part entirely.
- Carl
P.S. the workshop where we should (and probably will) be discussing this is
http://www.cs.dartmouth.edu/~pki02/ and there are still two weeks before papers are
due.
++
|Carl Ellison Intel E: [EMAIL PROTECTED] |
|2111 NE 25th Ave M/S JF3-212 T: +1-503-264-2900 |
|Hillsboro OR 97124 F: +1-503-264-6225 |
|PGP Key ID: 0xFE5AF240 C: +1-503-819-6618 |
| 1FDB 2770 08D7 8540 E157 AAB4 CC6A 0466 FE5A F240|
++
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: CFP: PKI research workshop
Carl Ellison [EMAIL PROTECTED] writes: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 09:44 AM 1/14/2002 -0800, Eric Rescorla wrote: Stef Caunter [EMAIL PROTECTED] writes: Does a user of ssl services care to know absolutely that they are communicating verifiably with whom they believe they have contacted, or does the user care to know absolutely that their communication is completely private? These are inextricably connected. If you want to know that your communications are private in the face of active attack you need to know who you're talking to as well. Of course you do. That's why https://store.palm.com/ is such a problem. You thought you were talking to (and wanted to talk to) Palm Computing, just like the logos and page layout said you were. You're not. You're talking to a MITM. Palm hired them to run the store? The certificates don't say that. The certificates say EXACTLY that. They say that this entity is authorized to use the domain name store.palm.com. -Ekr -- [Eric Rescorla [EMAIL PROTECTED]] http://www.rtfm.com/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: CFP: PKI research workshop
At 02:47 PM 1/14/2002 -0800, Eric Rescorla wrote: Meanwhile, the information that the user really looks at to make a security decision (the Palm logo and the little padlock) aren't related at all. No possible security system can protect people who trust whatever logo happens to be transmitted to them in web pages. That is certainly true today, but that is precisely how users decide whether or not to give up their credit card numbers or more sensitive information. It's a good thing that the user is absolved of liability in case the credit card is stolen. I disagree that it's not possible to secure logos. It's a MMOP (mere matter of programming). :) - Carl ++ |Carl Ellison Intel E: [EMAIL PROTECTED] | |2111 NE 25th Ave M/S JF3-212 T: +1-503-264-2900 | |Hillsboro OR 97124 F: +1-503-264-6225 | |PGP Key ID: 0xFE5AF240 C: +1-503-819-6618 | | 1FDB 2770 08D7 8540 E157 AAB4 CC6A 0466 FE5A F240| ++ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: CFP: PKI research workshop
Carl Ellison [EMAIL PROTECTED] writes: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 02:47 PM 1/14/2002 -0800, Eric Rescorla wrote: Meanwhile, the information that the user really looks at to make a security decision (the Palm logo and the little padlock) aren't related at all. No possible security system can protect people who trust whatever logo happens to be transmitted to them in web pages. That is certainly true today, but that is precisely how users decide whether or not to give up their credit card numbers or more sensitive information. It's a good thing that the user is absolved of liability in case the credit card is stolen. I disagree that it's not possible to secure logos. It's a MMOP (mere matter of programming). :) I didn't say that it wasn't possible to secure logos. I said that you couldn't protect people who trusted logos that were transmitted to them in Web pages. This is not the same thing. The point is that such logos are transmitted in-band and are part of the web page. Therefore, they are not cryptographically verified. -Ekr -- [Eric Rescorla [EMAIL PROTECTED]] http://www.rtfm.com/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
PGP GPG compatibility
What's the state of the game with PGP and GPG compatibility? Nick -- Real friends help you move bodies. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
