Hi Arshad
Do the air gapped private PKI root certs (and if applicable their
non-airgapped sub-CA certs they authorize) have the critical name constraint
extension eg .foocorp.com meaning it is only valid for creating certs for
*.foocorp.com?
(I am presuming these private PKI certs are sub-CA
On 8 Dec, 2011, at 8:27 PM, Peter Gutmann wrote:
In any case getting signing certs really isn't hard at all. I once managed
it
in under a minute (knowing which Google search term to enter to find caches
of
Zeus stolen keys helps :-). That's as an outsider, if you're working inside
On Fri, Dec 09, 2011 at 01:01:05PM -0800, Jon Callas wrote:
If you have a certificate issue a revocation for itself, there is an obvious,
correct interpretation. That interpretation is what Michael Heyman said, and
what OpenPGP does. That certificate is revoked and any subordinate
On Dec 9, 2011, at 3:46 18PM, Jon Callas wrote:
On 8 Dec, 2011, at 8:27 PM, Peter Gutmann wrote:
In any case getting signing certs really isn't hard at all. I once managed
it
in under a minute (knowing which Google search term to enter to find caches
of
Zeus stolen keys helps :-).
On Fri, Dec 9, 2011 at 4:08 PM, Steven Bellovin s...@cs.columbia.edu wrote:
On Dec 9, 2011, at 3:46 18PM, Jon Callas wrote:
If it were hard to get signing certs, then we as a community of developers
would demonize the practice as having to get a license to code.
Peter is talking about stolen
From: Nico Williams n...@cryptonector.com
What should matter is that malware should not be able to gain control
of the device or other user/app data on that device, and, perhaps,
that the user not even get a chance to install said malware, not
because the malware's signatures don't chain up to a
On Fri, Dec 9, 2011 at 5:28 PM, Nico Williams n...@cryptonector.com wrote:
On Fri, Dec 9, 2011 at 4:08 PM, Steven Bellovin s...@cs.columbia.edu wrote:
On Dec 9, 2011, at 3:46 18PM, Jon Callas wrote:
If it were hard to get signing certs, then we as a community of developers
would demonize the
On Dec 9, 2011, at 5:41 04PM, Randall Webmail wrote:
From: Nico Williams n...@cryptonector.com
What should matter is that malware should not be able to gain control
of the device or other user/app data on that device, and, perhaps,
that the user not even get a chance to install said
On Fri, Dec 9, 2011 at 4:41 PM, Jeffrey Walton noloa...@gmail.com wrote:
This strengthens the argument for digital signatures as a means of
providing upgrade continuity and related application grouping /
isolation, as in the Android model. No need for a PKI then, no need
to pay for
On Fri, Dec 9, 2011 at 6:00 PM, Nico Williams n...@cryptonector.com wrote:
On Fri, Dec 9, 2011 at 4:41 PM, Jeffrey Walton noloa...@gmail.com wrote:
This strengthens the argument for digital signatures as a means of
providing upgrade continuity and related application grouping /
isolation, as
If the USG can't even keep thumb drives off of SIPR, isn't the
whole game doomed to failure? (What genius thought it would be
a good idea to put USB ports on SIPR-connected boxes, anyway?)
USG is, like all enterprises, struggling with consumerization
such as whether cloud services
Jon Callas j...@callas.org writes:
If it were hard to get signing certs, then we as a community of developers
would demonize the practice as having to get a license to code.
WHQL is a good analogy for the situations with certificates, it has to be made
inclusive enough that people aren't
12 matches
Mail list logo
