Eric Rescorla e...@networkresonance.com writes:
At Tue, 20 Jan 2009 17:57:09 +1300, Peter Gutmann wrote:
Steven M. Bellovin s...@cs.columbia.edu writes:
So -- who supports TLS 1.2?
Not a lot, I think. The problem with 1.2 is that it introduces a pile of
totally gratuitous incompatible
On Sat, Jan 24, 2009 at 2:36 AM, Victor Duchovni
victor.ducho...@morganstanley.com wrote:
You seem to be out of touch I am afraid. Just look at what many O/S
distributions do. They adopt a new OpenSSL 0.9.Xy release from time to
time (for some initial y) and back-port security fixes never
At Sat, 24 Jan 2009 14:55:15 +1300,
Peter Gutmann wrote:
Yes, the changes between TLS 1.1 and TLS 1.2 are about as big as those
between SSL and TLS. I'm not particularly happy about that either, but it's
what we felt was necessary to do a principled job.
It may have been a nicely principled
On Tue, Jan 20, 2009 at 5:14 AM, Victor Duchovni
victor.ducho...@morganstanley.com wrote:
On Mon, Jan 19, 2009 at 10:45:55AM +0100, Bodo Moeller wrote:
The RFC does exit (TLS 1.2 in RFC 5246 from August 2008 makes SHA-256
mandatory), so you can send a SHA-256 certificate to clients that
On Fri, Jan 23, 2009 at 04:01:50PM +1100, Ben Laurie wrote:
I really hope to see
real OpenSSL patch releases some day with development of new features
*strictly* in the development snapshots. Ideally this will start with
0.9.9a, with no new features, just bug-fixes, in [b-z]. ]
I think
At Tue, 20 Jan 2009 17:57:09 +1300,
Peter Gutmann wrote:
Steven M. Bellovin s...@cs.columbia.edu writes:
So -- who supports TLS 1.2?
Not a lot, I think. The problem with 1.2 is that it introduces a pile of
totally gratuitous incompatible changes to the protocol that require quite a
bit
Jon Callas j...@callas.org writes:
I've always been pleased with your answer to Question J, so I'll say what
we're doing at PGP.
That wasn't really meant as a compliment :-). The problem is that by leaping
on things the instant they appear you end up having to support a menagerie of
wierdo
On Sat, Jan 17, 2009 at 5:24 PM, Steven M. Bellovin s...@cs.columbia.edu
wrote:
I've mentioned it before, but I'll point to the paper Eric Rescorla
wrote a few years ago:
http://www.cs.columbia.edu/~smb/papers/new-hash.ps or
http://www.cs.columbia.edu/~smb/papers/new-hash.pdf . The bottom
Paul Hoffman wrote:
At 12:24 PM +0100 1/12/09, Weger, B.M.M. de wrote:
When in 2012 the winner of the
NIST SHA-3 competition will be known, and everybody will start
using it (so that according to Peter's estimates, by 2018 half
of the implementations actually uses it), do we then have enough
At 1:38 PM + 1/19/09, Darren J Moffat wrote:
Can you state the assumptions for why you think that moving to SHA384 would be
safe if SHA256 was considered vulnerable in some way please.
Sure. I need 128 bits of pre-image protection for, say, a digital signature.
SHA2/256 is giving me that.
On Mon, Jan 19, 2009 at 10:45:55AM +0100, Bodo Moeller wrote:
The RFC does exit (TLS 1.2 in RFC 5246 from August 2008 makes SHA-256
mandatory), so you can send a SHA-256 certificate to clients that
indicate they support TLS 1.2 or later. You'd still need some other
certificate for
On Mon, 19 Jan 2009 10:45:55 +0100
Bodo Moeller bmoel...@acm.org wrote:
On Sat, Jan 17, 2009 at 5:24 PM, Steven M. Bellovin
s...@cs.columbia.edu wrote:
I've mentioned it before, but I'll point to the paper Eric Rescorla
wrote a few years ago:
Steven M. Bellovin s...@cs.columbia.edu writes:
So -- who supports TLS 1.2?
Not a lot, I think. The problem with 1.2 is that it introduces a pile of
totally gratuitous incompatible changes to the protocol that require quite a
bit of effort to implement (TLS 1.1 - 1.2 is at least as big a step,
I have a general outline of a timeline for adoption of new crypto
mechanisms (e.g. OAEP, PSS, that sort of thing, and not specifically
algorithms) in my Crypto Gardening Guide and Planting Tips, http://www.cs.auckland.ac.nz/~pgut001/pubs/crypto_guide.txt
, see Question J about 2/3 of the way
On Mon, Jan 19, 2009 at 01:38:02PM +, Darren J Moffat wrote:
I don't think it depends at all on who you trust but on what algorithms
are available in the protocols you need to use to run your business or
use the apps important to you for some other reason. It also very much
depends on
Weger, B.M.M. de b.m.m.d.we...@tue.nl writes:
Bottom line, anyone fielding a SHA-2 cert today is not going=20
to be happy with their costly pile of bits.
Will this situation have changed by the end of 2010 (that's next year, by the
way), when everybody who takes NIST seriously will have to
decision to make.
PS: I find it ironic that the sites (such as ftp.ccc.de/congress/25c3/)
offering the video and audio files of the 25c3 presentation MD5
considered harmful today, provide for integrity checking of those
files their, uhm, MD5 hashes.
It seems to me they are only provided
On Mon, 12 Jan 2009 16:05:08 +1300
pgut...@cs.auckland.ac.nz (Peter Gutmann) wrote:
Weger, B.M.M. de b.m.m.d.we...@tue.nl writes:
Bottom line, anyone fielding a SHA-2 cert today is not going=20
to be happy with their costly pile of bits.
Will this situation have changed by the end of
intersection should be
replaced by union.]]
Grtz,
Benne de Weger
PS: I find it ironic that the sites (such as ftp.ccc.de/congress/25c3/)
offering the video and audio files of the 25c3 presentation MD5
considered harmful today, provide for integrity checking of those
files their, uhm, MD5 hashes
On Sat, Jan 10, 2009 at 11:32:44PM +0100, Weger, B.M.M. de wrote:
Hi Victor,
Bottom line, anyone fielding a SHA-2 cert today is not going
to be happy with their costly pile of bits.
Will this situation have changed by the end of 2010 (that's
next year, by the way), when everybody who
On Thu, Jan 08, 2009 at 06:23:47PM -0600, Dustin D. Trammell wrote:
Nearly everything I've seen regarding the proposed solutions to this
attack have involved migration to SHA-1. SHA-1 is scheduled to be
decertified by NIST in 2010, and NIST has already recommended[1] moving
away from SHA-1
On Tue, 2008-12-30 at 11:51 -0800, Hal Finney wrote:
Therefore the highest priority should be for the six bad CAs to change
their procedures, at least start using random serial numbers and move
rapidly to SHA1. As long as this happens before Eurocrypt or whenever
the results end up being
On Tue, 30 Dec 2008, Hal Finney wrote:
- The attack relies on cryptographic advances in the state of the art for
finding MD5 collisions from inputs with different prefixes. These advances
are not yet being published but will presumably appear in 2009.
To insert a malicious
Hi all,
Today, 30 December 2008, at the 25th Annual Chaos Communication Congress in
Berlin,
we announced that we are currently in possession of a rogue Certification
Authority certificate. This certificate will be accepted as valid and trusted
by
all common browsers, because it appears to be
Hello,
I wanted to chime in more during the previous x509 discussions but I was
delayed by some research.
I thought that I'd like to chime in that this new research about
attacking x509 is now released. We gave a talk about it at the 25c3
about an hour or two ago.
MD5 considered harmful today
Re: http://www.win.tue.nl/hashclash/rogue-ca/
Key facts:
- 6 CAs were found still using MD5 in 2008: RapidSSL, FreeSSL, TC
TrustCenter AG, RSA Data Security, Thawte, verisign.co.jp. Out of the
30,000 certificates we collected, about 9,000 were signed using MD5,
and 97% of those were
26 matches
Mail list logo