The summer of PKI love
http://www.infoworld.com/article/05/08/10/33OPstrategic_1.html The annual PKI Deployment Summit at Dartmouth College is becoming a summer tradition. Universities differ from other large enterprises in ways that make them bellwethers for IT's future. ... snip .. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Motorist wins case after maths whizzes break speed camera code
On Wed, Aug 10, 2005 at 02:29:38PM -0400, [EMAIL PROTECTED] wrote: The facts are very scrambled but I like it. The brief TV reports from lawyers were more factual. Motorist wins case after maths whizzes break speed camera code http://www.faqs.org/qa/rfcc-1420.html Possibly related: http://www.redflex.com.au/traffic/pdfs/RedflexSpeed2V2.pdf -- /\ ASCII RIBBON NOTICE: If received in error, \ / CAMPAIGN Victor Duchovni please destroy and notify X AGAINST IT Security, sender. Sender does not waive / \ HTML MAILMorgan Stanley confidentiality or privilege, and use is prohibited. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: NY Times article on biometrics and border control
Hurdles for High-Tech Efforts to Track Who Crosses Borders By ERIC LIPTON The government's effort to collect biometric data to track foreigners visiting the U.S. has fallen far short of its goals. Well, this article is somewhat blurry. They start by Hoping to block the entry of criminals and terrorists whereas even immigration officers agree that that's not one of their goals. Fortunately, they then cite some politician: When it's all in place, there's still no real additional security or at least it's of marginal value which is, as we all know, correct. BTW, on some airports DHS does indeed take one's fingerprint and photos when leaving the country. They currently do so at Baltimore for example. What worries me is that all the information collected can be, and will be, misused eventually. What worries me even more is that the europeans now feel under pressure and happily will introduce the very same crap. Cheers, Stefan. --- Stefan Kelm Security Consultant Secorvo Security Consulting GmbH Ettlinger Straße 12-14, D-76137 Karlsruhe Tel. +49 721 255171-304, Fax +49 721 255171-100 [EMAIL PROTECTED], http://www.secorvo.de/ --- PGP Fingerprint 87AE E858 CCBC C3A2 E633 D139 B0D9 212B - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: How much for a DoD X.509 certificate?
Peter Gutmann wrote: $25 and a bit of marijuana, apparently. See: http://www.wjla.com/news/stories/0305/210558.html http://www.wjla.com/news/stories/0105/200474.html Although the story doesn't mention this, the ID in question was the DoD Common Access Card, a smart card containing a DoD-issued certificate. To get a CAC, you normally have to provide two forms of verification... in this case I guess the two were photo ID of dead presidents and empirical proof that you know how to buy weed. The cards were issued by Yusuf Khalil Jackson, a man with a long criminal history (including, ironically, identity fraud): one might claim that part of this is the lingering affinity to offline credentials ... when most really secure operations have gone to online and realtime operations ... leaving any physical object primarily a feature of something you have authentication that might be used in conjunction with other authentication factors. the issue of many offline credentials are that they are left over from a bygone era that is rapidly disappearing, but some of the legacy mindsets still linger on. the issue was raised in the mid-90s in financial infrastructures ... that such offline credentials ... even tho superfluous and redundant (in a modern online world) wouldn't actually be hurting anything (other than possibly the out-of-pocket expense to support such operations). the danger did show up when operations were tempted to use the redundant and superfluous credential in lieu of doing an actual online operation. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[Clips] The summer of PKI love
--- begin forwarded text Delivered-To: [EMAIL PROTECTED] Date: Thu, 11 Aug 2005 15:10:52 -0400 To: Philodox Clips List [EMAIL PROTECTED] From: R.A. Hettinga [EMAIL PROTECTED] Subject: [Clips] The summer of PKI love Reply-To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] http://www.infoworld.com/article/05/08/10/33OPstrategic_1.html InfoWorld The summer of PKI love Dartmouth College's PKI Deployment Summit showed public key infrastructure moving forward Strategic Developer, By Jon Udell ? August 10, 2005 The annual PKI Deployment Summit at Dartmouth College is becoming a summer tradition. Universities differ from other large enterprises in ways that make them bellwethers for IT's future. University user populations are transient, platform monocultures cannot be imposed, and collaboration across institutional borders is mission-critical. These are excellent circumstances in which to evolve methods of identity management that will also meet the requirements of corporations as they increasingly outsource, connect with customers through the Web, and engage with partners in federations of Web services. One reason for PKI's slow uptake has been the lack of two kinds of portability. It hasn't been easy to move cryptographic keys from one machine to another, or to use credentials issued by one institution at another. But as we learned at the summit, there's been progress on both fronts. Growing adoption of hardware tokens is making cryptographic identities independent of machines. And emerging trust bridges are enabling those identities to be federated among universities, the federal government, and industry. On the token front, we're still unfortunately waiting for the ideal key storage device. USB tokens, smart cards, and cell phones are all candidates, and the pros and cons of these options form a complex matrix. Universities tend to prefer the USB approach because the tokens work with PCs and Macs that can't easily be outfitted with card readers. No matter what flavor of device, however, the deployment procedure is critical. This year, several summit attendees talked about moving away from a model in which the token caches keys that are also stored elsewhere, to a model in which keys are generated directly on the token and are stored only there. If you lose your token, you have to reregister for a new one and get freshly minted keys. Work-arounds are painful experiences that people won't lightly inflict on themselves a second time. It sounds draconian, and indeed is, but the benefits are twofold. It virtually eliminates password sharing, which, as I mentioned last year, is otherwise rampant. And the required in-person registration is a ceremony that helps users understand what the token means and how to use it. On the trust front, a number of initiatives are under way. A handful of universities and resource providers have been using the Internet2 consortium's Shibboleth to enable users at one institution to access online resources at another. In March, that trust network was formalized as the InCommon Federation. Shibboleth isn't PKI-based, but it can be bridged to PKI systems, and trust bridges were a hot topic this year. Dartmouth's Scott Rea gave a status report on the Higher Education Bridge Certification Authority. Peter Alterman, from the National Institutes of Health, described the Federal Bridge Certification Authority. Cybertrust's Russ Weiser presented Secure Access for Everyone, which focuses on the biopharmaceutical industry. And Jim Jokl, from the University of Virginia, showed how to leverage grid networks as a trust fabric by exploiting the Globus Toolkit's intrinsic PKI. Once these and other bridges can cross-certify, token-borne credentials issued by one will be recognized -- subject to appropriate policy mapping -- by the others. A year ago that seemed far-fetched, but the picture is coming into focus. Jon Udell is lead analyst and blogger in chief at the InfoWorld Test Center. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' ___ Clips mailing list [EMAIL PROTECTED] http://www.philodox.com/mailman/listinfo/clips --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: Motorist wins case after maths whizzes break speed camera code
On Aug 10, 2005, at 7:01 PM, Victor Duchovni wrote: On Wed, Aug 10, 2005 at 02:29:38PM -0400, [EMAIL PROTECTED] wrote: The facts are very scrambled but I like it. The brief TV reports from lawyers were more factual. Motorist wins case after maths whizzes break speed camera code http://www.faqs.org/qa/rfcc-1420.html Possibly related: http://www.redflex.com.au/traffic/pdfs/RedflexSpeed2V2.pdf From the brochure: Security/Encryption: all enforcement information is public key authenticated using MD5 encryption to ensure information is authentic and tamper free. So, of course, it must be very secure, no marketing enhancements here. On the other hand, it seems that the prosecutor didn't use/hire the proper expert witness. Putting aside the inaccuracies of the article I'm trying to interpret correctly what the article stated. The record being protected by MD5 consists of the time, date, place, numberplate and speed. Assuming that only the speed was in question, then it should be possible to calculate all the MD5's for all possible speed values and see if you get a collision (actually, just the speed values above the speed limit). Just my 2 centavos, Aram Perez - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: How much for a DoD X.509 certificate?
From: Peter Gutmann [EMAIL PROTECTED] Sent: Aug 11, 2005 7:42 AM To: cryptography@metzdowd.com Subject: How much for a DoD X.509 certificate? $25 and a bit of marijuana, apparently. See: http://www.wjla.com/news/stories/0305/210558.html http://www.wjla.com/news/stories/0105/200474.html Although the story doesn't mention this, the ID in question was the DoD Common Access Card, a smart card containing a DoD-issued certificate. To get a CAC, you normally have to provide two forms of verification... in this case I guess the two were photo ID of dead presidents and empirical proof that you know how to buy weed. Ah, so this was more of an attribute certificate, then. And that the certificate was issued based partly on a nonstandard proof of possession protocol. (More specifically, proof of possession with intent to distribute.) Peter. --John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]