At 11:26 PM -0500 8/14/04, Bruce Schneier wrote:
From: Ken Lavender [EMAIL PROTECTED]
Subject: ICS Atlanta
I am APPAULED at your comments that you had made on your website:
http://www.schneier.com/crypto-gram-0407.html#9
You have statements are nothing but slander defamation. They
At 11:26 PM -0500 8/14/04, Bruce Schneier wrote:
From: Ken Lavender [EMAIL PROTECTED]
Subject: ICS Atlanta
I am APPAULED at your comments that you had made on your website:
http://www.schneier.com/crypto-gram-0407.html#9
You have statements are nothing but slander defamation. They
http://www.topsecretcrypto.com/
Snake oil?
Regards, Matt-
[EMAIL PROTECTED] wrote:
http://www.topsecretcrypto.com/
Snake oil?
I am not entirely sure.
on the plus side - it apparently uses Sha-1 for a signing algo, RSA with a
max keysize of 16Kbits (overkill, but better than enforcing something
stupidly small), built in NTP synch for timestamps
I thought the 3G (UMTS) cellphones at least were going to use reasonably good
crypto; don't know about the overall security architecture though.
Jaap-Henk
On Fri, 06 Jun 2003 14:30:04 -0400 Ian Grigg [EMAIL PROTECTED] writes:
John Kelsey wrote:
So, what can I do about it, as an individual?
Rich Salz wrote:
Perhaps a few best practices papers are in order. They might help
the secure (distributed) computing field a great deal.
/r$
--
The new book, Practical Cryptography, by Niels Ferguson and
Bruce Schneier is useful.
regards,
Frederick
James A. Donald writes:
Suppose the e-gold, to prevent this sea of spam trying to get
people to login to fake e-gold sites, wanted people to use
public keys instead of shared secrets, making your secret key
the instrument that controls the account instead of your shared
password.
They
Derek Atkins [EMAIL PROTECTED] writes:
Actually, the ASN.1 part is a major factor in the X.509 interoperability
problems. Different cert vendors include different extensions, or different
encodings. They put different information into different parts of the
certificate (or indeed the same
--
On 7 Jun 2003 at 19:05, Dave Howe wrote:
issuing certs to someone is trivial from both a server and a
user endpoint - the user just gets a click here to request
your key and hits ok on a few dialog boxes; the server
simply hosts some pretty off-the-shelf cgi.
[...]
its surprisingly
my site has one.
ca0.net
..tom
--
On 7 Jun 2003 at 19:05, Dave Howe wrote:
issuing certs to someone is trivial from both a server and a
user endpoint - the user just gets a click here to request
your key and hits ok on a few dialog boxes; the server
simply hosts some pretty
James A. Donald wrote:
Could you point me somewhere that illustates server issued
certs, certification with zero administrator overhead and small
end user overhead?
Been a while since I played with it, but IIRC OpenCA (www.openca.org) is a
full implimentation of a CA, in perl cgi, with no admin
At 03:50 PM 6/3/03 -0700, Eric Blossom wrote:
...
GSM and CDMA phones come with the crypto enabled. The crypto's good
enough to keep out your neighbor (unless he's one of us) but if you're
that paranoid, you should opt for the end-to-end solution. The CDMA
stuff (IS-95) is pretty broken:
Ian Grigg wrote:
(Similar to GSM's. That is hard to attack,
there is AFAIR no 'trival' attack, [...]
Just wait a little while.
By the way, one can already buy fake base stations that
mount man-in-the-middle attacks on GSM as a way to eavesdrop
on GSM calls. It's off the shelf, but it costs
John Kelsey wrote:
So, what can I do about it, as an individual? Make the cellphone companies
build good crypto into their systems? Any ideas how to do that?
Nope. Cellphone companies are big slow moving
targets. They get their franchise from the
government. If the NSA wants weak crypto,
At 10:09 PM 6/4/2003, James A. Donald wrote:
Eric Rescorla
Nonsense. One can simply cache the certificate, exactly as
one does with SSH. In fact, Mozilla at least does exactly
this if you tell it to. The reason that this is uncommon is
because the environments where HTTPS is used are generally
At 04:42 PM 6/4/2003 -0700, Eric Rescorla wrote:
Nonsense. One can simply cache the certificate, exactly as
one does with SSH. In fact, Mozilla at least does exactly
this if you tell it to. The reason that this is uncommon
is because the environments where HTTPS is used
are generally spontaneous
[EMAIL PROTECTED] (Peter Gutmann) writes:
Bodo Moeller [EMAIL PROTECTED] writes:
Using an explicit state machine helps to get code suitable for multiplexing
within a single thread various connections using non-blocking I/O.
Is there some specific advantage here, or is it an academic
Derik asks the pertinant question:
The question is: how do we convince M$ and Netscape to include something
else in their software? If it's not supported in IE, then it wont be
available to the vast majority of users out there.
My view, again, IMHO: ignore Microsoft. Concentrate
on the
--
On 4 Jun 2003 at 20:58, Anne Lynn Wheeler wrote:
it is relatively trivial to demonstrate that public keys can
be registered in every business process that currently
registers shared- secrets (pins, passwords, radius, kerberos,
etc, etc)
I don't think so.
Suppose the e-gold, to
At 04:24 PM 6/6/2003 -0700, James A. Donald wrote:
I don't think so.
??? public key registered in place of shared-secret?
NACHA debit trials using digitally signed transactions did it with both
software keys as well as hardware tokens.
http://internetcouncil.nacha.org/News/news.html
in the
--
James A. Donald:
Certificate caching is not the problem that needs solving.
The problem is all this spam attempting to fool people into
logging in to fake BofA websites and fake e-gold websites,
to steal their passwords or credit card numbers
On 6 Jun 2003 at 15:04, Tim Dierks
Eric Murray [EMAIL PROTECTED] writes:
Too often people see something like Peter's statement above and say
oh, it's that nasty ASN.1 in X.509 that is the problem, so we'll just
do it in XML instead and then it'll work fine which is simply not true.
The formatting of the certificates is such a
Derek Atkins [EMAIL PROTECTED] writes:
Eric Murray [EMAIL PROTECTED] writes:
Too often people see something like Peter's statement above and say
oh, it's that nasty ASN.1 in X.509 that is the problem, so we'll just
do it in XML instead and then it'll work fine which is simply not true.
Eric Rescorla [EMAIL PROTECTED] writes:
This isn't really true in the SSL case:
To a first order, everyone ignores any extensions (except sometimes
the constraints) and uses the CN for the DNS name of the server.
Except some CAs make certs that can only work as an SSL server and not
an SSL
On Fri, 06 Jun 2003, James A. Donald wrote:
Suppose the e-gold, to prevent this sea of spam trying to get
people to login to fake e-gold sites, wanted people to use
public keys instead of shared secrets, making your secret key
the instrument that controls the account instead of your shared
Sampo Syreeni wrote:
Rather it's the fact that the Big
Brother doesn't have the necessary total funds, and so doesn't listen into
a considerable proportion of calls as a whole.
Yet.
As far as we know.
:-)
I agree it's an economic issue, and law enforcement doesn't seem to
listen in on a
[EMAIL PROTECTED],
Bill
Stewart [EMAIL PROTECTED], cypherpunks [EMAIL PROTECTED],
[EMAIL PROTECTED]
Subject: Re: Maybe It's Snake Oil All the Way Down
In-Reply-To: [EMAIL PROTECTED]
User-Agent: Mutt/1.4i
On Tue, Jun 03, 2003 at 10:42:01AM -0400, John Kelsey wrote:
At 10:09 AM 6/2/03 -0400
PROTECTED]
CC: EKR [EMAIL PROTECTED], Eric Murray [EMAIL PROTECTED],
Scott Guthery
[EMAIL PROTECTED], Rich Salz [EMAIL PROTECTED],
Bill
Stewart [EMAIL PROTECTED], cypherpunks [EMAIL PROTECTED],
[EMAIL PROTECTED]
Subject: Re: Maybe It's Snake Oil All the Way Down
In-Reply-To: [EMAIL PROTECTED
[EMAIL PROTECTED],
Bill
Stewart [EMAIL PROTECTED], cypherpunks [EMAIL PROTECTED],
[EMAIL PROTECTED]
Subject: Re: Maybe It's Snake Oil All the Way Down
In-Reply-To: [EMAIL PROTECTED]
User-Agent: Mutt/1.4i
On Tue, Jun 03, 2003 at 06:17:12PM -0400, John Kelsey wrote:
At 01:25 PM 6/3/03 -0700
, cellphone, microwave, fiber-optic, so that
snake oil is apt protection. If all telecomm was shut down no
more would change than pulling the plug on television.
The other 2% is what the billions and billions is trying to find
among the EM cataract of plaintext and speak smoke and whine
-- by whoever
On Monday, June 2, 2003, at 07:09 AM, Ian Grigg wrote:
PGP was also mildly successful, and was done by
one guy, PRZ. The vision was very clear. All others
had to do was to fix the bugs... Sadly, free versions
never quite made the jump into GUI mail clients, so
widespread success was denied
At 08:32 PM 5/31/03 -0400, Scott Guthery wrote:
Hello, Rich ...
When I drill down on the many pontifications made by computer
security and cryptography experts all I find is given wisdom. Maybe
the reason that folks roll their own is because as far as they can see
that's what everyone does.
Oh look, it's a brand new fluff piece on Meganet and their Virtual Matrix
Encryption, deconstructed years ago in various forums, including this one.
http://www.inet-one.com/cypherpunks/dir.1998.01.01-1998.01.07/msg00047.html
Why on earth is the Department of Labor giving them money?
Meganet now
Oh look, it's a brand new fluff piece on Meganet and their Virtual Matrix
Encryption, deconstructed years ago in various forums, including this one.
http://www.inet-one.com/cypherpunks/dir.1998.01.01-1998.01.07/msg00047.html
Why on earth is the Department of Labor giving them money?
Meganet now
at Friday, October 25, 2002 6:22 PM, bear [EMAIL PROTECTED] was seen to
say:
The implication is that they have a hard problem in their
bioscience application, which they have recast as a cipher.
The temptation is to break it, *tell* them you have broken it (and offer
to break any messages they
35 matches
Mail list logo