I've personally
designed and deployed many PKI solutions for large corporations for all
sorts of security applications ranging from remote VPN access to wireless
LAN security, and I can attest that the technology is simple, scalable, and
reliable.
*yawn* Yet another person who confuses
Mark Allen Earnest wrote:
*yawn* Yet another person who confuses PK with PKI. Almost NOBODY has
ever done PKI right. The I is the part everyone conveniently forgets
when they claim otherwise.
when we were doing this stuff related to e-commerce ... we also had to
go out and audit some number of
Frequently, scientists who know nothing about security come up with
ingenious ways to solve non-existent problems. Take this, for example:
http://www.sciam.com/article.cfm?chanID=sa003articleID=00049DB6-ED96-12E7-AD9683414B7F
Basically, some clever folks have found a way to fingerprint the
From: Steven M. Bellovin [EMAIL PROTECTED]
Sent: Aug 5, 2005 12:04 PM
To: Steve Furlong [EMAIL PROTECTED]
Cc: cryptography@metzdowd.com
.Subject: Re: draft paper: Deploying a New Hash Algorithm
...
I'd have phrased it differently than Perry did. I'd say
that the attackers are often cleverer
Perry E. Metzger wrote:
We need a term for this sort of thing -- the steel tamper
resistant lock added to the tissue paper door on the wrong vault
entirely, at great expense, by a brilliant mind that does not
understand the underlying threat model at all.
Anyone have a good phrase in mind that
From: Perry E. Metzger [EMAIL PROTECTED]
Sent: Aug 6, 2005 2:28 PM
To: cryptography@metzdowd.com
Subject: solving the wrong problem
Frequently, scientists who know nothing about security come
up with ingenious ways to solve non-existent problems. Take
this, for example:
Anne Lynn Wheeler wrote:
random past posts on ssl domain name certificates ... some number dating
back to the period of the original payment gateway.
http://www.garlic.com/subpubkey.html#sslcert
oops, finger slip, that should be
http://www.garlic.com/~lynn/subpubkey.html#sslcert
... oh, and
Steven M. Bellovin [EMAIL PROTECTED] writes:
Tickets are an excellent use for this, because it binds the printing to
a specific physical object. The concert industry has had a problem
with trying to use print-at-home tickets -- the fraudsters buy a single
ticket, then print it multiple
Reminds me of the White Knight from Alice in Wonderland, who doesn't
understand his threat model, and doesn't know how to effectively use
his tools:
`I see you're admiring my little box,' the Knight said in a friendly
tone. `It's my own invention -- to keep clothes and sandwiches in. You
see I
In Steve Bellovin and Eric Rescorla's paper, Deploying a New Hash Algorithm*,
the author's note the well known property of hash functions:
For two different stings x and y,
H(x) = H(y) == H(x||s) = H(y||s)
It seems to me that there might be a class of hash functions for which this
property
Perry E. Metzger wrote:
A variant on the moviefone.com model might work better for these folks
-- have the person buy the tickets with a credit card, and use a
machine to check that they are in physical possession of said card
when they enter the theater. Most people will not loan their cards
On Sat, 6 Aug 2005, Perry E. Metzger wrote:
We already have the term snake oil for a very different type of bad
security idea, and the term has proven valuable for quashing such
things. We need a term for this sort of thing -- the steel tamper
resistant lock added to the tissue paper door on
12 matches
Mail list logo