Re: Possible way to increase Security
Duane wrote: The currently level and ease of use of cryptography is pretty poor, and perhaps that's understating it somewhat... This is a popular misconception among the cognoscenti, who feel that everybody should - for instance - always encrypt all e-mail. As a consequence, we all somehow tacitly assume that the measure of success of crypto development and deployment is quantity - instead of quality. The quantity target (perhaps measured as a percent of all e-mails floating on the 'net that are encrypted) is indeed slipping. But those that are properly motivated *do* encrypt. However, they do not 'just encrypt'; they pay attention to the security on a wider front. Thus, one of the first things they do, is to avoid permanent 'net connection modus operandi - source of all kinds of potentially devastating security breaches. In addition, for them the protection from the traffic analysis often tends to be as important as is the protection of content. Ever more complex PKI protocols that depend on promiscuous, net-wide transactions at any point in the communication cycle might indeed increase (marginally?) the mythical ease of use for the unmotivated, but will not increase the overall level of security for those that need it. This is therefore not the best use of time and development effort. Roger ___ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
Re: Possible way to increase Security
Whay don't you use LDAPv3 as protocol? This makes it easy to set up query limits, slave servers and so on. This could act as a address book also. Try www.OpenLDAP.org. The code in mozilla is mostly there, I belive. Maybe there is some issues with LDAPv3 och getting the cert. - Emil Assarsson Duane wrote: I'm currently drawing up a proposal for an independent submission for an Internet Draft and I'm after feed back on this. My idea is pretty simple, if all you have is an email address of the person you want to email, and they have a public certificate listed in the system, client software should be automatically be able to retrieve the certificate and encrypt email to the person without any intervention from the user. This would be particularly useful for web mail services and 802.1x key handling, as all you need is the email address, not a bunch of certificates. The currently level and ease of use of cryptography is pretty poor, and perhaps that's understating it somewhat, to address this I started thinking about a whois type service to distribute certificates, and it ended up somewhere a cross between a finger service and a PGP Key Exchange. Basically you connect to a tcp port on a CA service that interacts with a database, you supply an email address or a host name and the system replies with the current valid certificate which can then be used to encrypt data. For the full draft + example daemon code to achieve this go to: http://www.cacert.org/index.php?id=26prob=8 ___ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
Re: Possible way to increase Security
Emil Assarsson wrote: Whay don't you use LDAPv3 as protocol? This makes it easy to set up query limits, slave servers and so on. This could act as a address book also. Try www.OpenLDAP.org. The code in mozilla is mostly there, I belive. Maybe there is some issues with LDAPv3 och getting the cert. I thought about using LDAP, however my thinking on this is something extremely dumb so all any client needs to interface with it is a tcp connection, making things simpler then needing all the overhead of LDAP, dealing with LDAP libs and all the rest of it. There are a number of projects I know of that are non-email related that don't have a need for LDAP, so just a quick finger [EMAIL PROTECTED]@cacert.org would be a lot easier for them then going to all the added trouble... The initial daemon is just an interface not the database itself, the assumption here is most CAs already run a database to track certificates they've issued but there is no simple/dumb interface for machines to interface with it. -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! ___ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
Re: Possible way to increase Security
Duane, The idea is good, but as you point out, protocols such as LDAP already exist to do this. What's missing is a global (worldwide) directory that's independent of a particular corporation of government. The key problem is that no one entity would have the resources to host such a server. Some distribution is necessary. Your protocol proposal is overly simplistic and does not address this issue, or the missing link of where the database of certs actually comes from ... These topics have been discussed extensively on IETF pkix and smime mailing lists, but no solution was found. You should look at the archives and look for my name in there. I definitely agree with you that the need exists for a global directory that can map email address to certs. This is a gaping hole in global PKI usage. But not an easy one to solve. Duane wrote: I'm currently drawing up a proposal for an independent submission for an Internet Draft and I'm after feed back on this. My idea is pretty simple, if all you have is an email address of the person you want to email, and they have a public certificate listed in the system, client software should be automatically be able to retrieve the certificate and encrypt email to the person without any intervention from the user. This would be particularly useful for web mail services and 802.1x key handling, as all you need is the email address, not a bunch of certificates. The currently level and ease of use of cryptography is pretty poor, and perhaps that's understating it somewhat, to address this I started thinking about a whois type service to distribute certificates, and it ended up somewhere a cross between a finger service and a PGP Key Exchange. Basically you connect to a tcp port on a CA service that interacts with a database, you supply an email address or a host name and the system replies with the current valid certificate which can then be used to encrypt data. For the full draft + example daemon code to achieve this go to: http://www.cacert.org/index.php?id=26prob=8 ___ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
Re: Possible way to increase Security
Julien Pierre wrote: Duane, The idea is good, but as you point out, protocols such as LDAP already exist to do this. What's missing is a global (worldwide) directory that's independent of a particular corporation of government. The key problem is that no one entity would have the resources to host such a server. Some distribution is necessary. Your protocol proposal is overly simplistic and does not address this issue, or the missing link of where the database of certs actually comes from ... The idea is CAs already have databases, this method just provides a common interface to access the different systems with. Alternatively things could be done in a PGP Key Exchange fashion where people upload their own certificates just as you do with PGP. These topics have been discussed extensively on IETF pkix and smime mailing lists, but no solution was found. You should look at the archives and look for my name in there. I definitely agree with you that the need exists for a global directory that can map email address to certs. This is a gaping hole in global PKI usage. But not an easy one to solve. I think for the most part the PGP solution works, so maybe an extension to it, or something in parallel might work the best... -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! ___ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
Possible way to increase Security
I'm currently drawing up a proposal for an independent submission for an Internet Draft and I'm after feed back on this. My idea is pretty simple, if all you have is an email address of the person you want to email, and they have a public certificate listed in the system, client software should be automatically be able to retrieve the certificate and encrypt email to the person without any intervention from the user. This would be particularly useful for web mail services and 802.1x key handling, as all you need is the email address, not a bunch of certificates. The currently level and ease of use of cryptography is pretty poor, and perhaps that's understating it somewhat, to address this I started thinking about a whois type service to distribute certificates, and it ended up somewhere a cross between a finger service and a PGP Key Exchange. Basically you connect to a tcp port on a CA service that interacts with a database, you supply an email address or a host name and the system replies with the current valid certificate which can then be used to encrypt data. For the full draft + example daemon code to achieve this go to: http://www.cacert.org/index.php?id=26prob=8 -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! ___ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto