Re: Using signature-only certs to authenticate key exchanges
This effectively exempts things like signature-only smartcards and similar tokens. I would not want to risk things on strict technical interpretation. I would go solely by intent, which often seems obvious. "I don't know what cryptography is, but I know it when I see it." /r$
Comcast@Home bans VPNs
Customers blast Comcast move to foil bandwidth hogs By Corey Grice Staff Writer, CNET News.com August 16, 2000, 12:00 p.m. PT Revisions made to a Comcast Online customer agreement document have irked some high-speed cable-modem customers concerned about a prohibition on the use of secure networking technology. The document, which governs acceptable uses for the company's cable-modem service Comcast@Home, was recently updated for the third time. The new version, in section 6B, requires subscribers to agree not to use the service as a means to create what is known as a virtual private network, or VPN--a technology that provides a secure connection across the Internet... http://news.cnet.com/news/0-1004-200-2536215.html
Re: Using signature-only certs to authenticate key exchanges
At 07:39 AM 8/17/00 +0800, Enzo Michelangeli wrote: My question was about the legal meaning, or, better, prevalent legal interpretation, of "signature-only key". ... This is not a purely academic issue. For example, in Hong Kong the import of cryptographic devices is exempted from import licensing (not a big hurdle, but an annoying bureaucratic procedure nevertheless) if they are "only used for authentication or digital signature": Ah. The certificate structure - keys, software, smartcards, data, etc. can all work fine as signature-only, so it sounds like it'll pass your import license issues. On the other hand, the Diffie-Hellman key exchange itself, and the symmetric-key application that uses the key generated by DH, aren't signature-only systems - they're clearly for doing encryption. So you'll need to keep track of which pieces are integrated and which are separate. Do your import restrictions apply to intangibles like downloading software in the net? Some places only restrict import/export of physical objects. Thanks! Bill Bill Stewart, [EMAIL PROTECTED] PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
RE: Using signature-only certs to authenticate key exchanges
Enzo, My apologies for being unclear. Since I am not an attorney licensed to practice law in Hong Kong, I of course cannot speak to the legalities of using a cert/key with a signature-only key usage restriction for encryption purposes. Though I suspect even an attorney meeting the above qualifications could not answer with certainty which consequences the manufacturer of signature-only devices might face should such devices be used for encryption purposes. As a data point, to the best of my knowledge, the use of signature-only keys for encryption purposes has not been tested in any court of law anywhere on the planet. Which tends to mean that any claims as to what the consequences of doing so would be are speculative at best. (Long rant why relying on an application outside one's control to enforce key usage is bound to fail omitted). --Lucky Green [EMAIL PROTECTED] "Anytime you decrypt: that's against the law". Jack Valenti, President, Motion Picture Association of America in a sworn deposition, 2000-06-06 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Enzo Michelangeli Sent: Wednesday, August 16, 2000 16:40 To: Cryptography@C2. Net Subject: Re: Using signature-only certs to authenticate key exchanges Lucky (and Bill, in another message), My question was about the legal meaning, or, better, prevalent legal interpretation, of "signature-only key". I know how authenticated key exchange mechanisms work, and, on the other hand, Ron Rivest has shown that at least in principle there are other ways of achieving confidentiality by relying only on authentication primitives. This is not a purely academic issue. For example, in Hong Kong the import of cryptographic devices is exempted from import licensing (not a big hurdle, but an annoying bureaucratic procedure nevertheless) if they are "only used for authentication or digital signature": http://www.info.gov.hk/tid/faq/strategic1.htm#q23 This effectively exempts things like signature-only smartcards and similar tokens. Cheers -- Enzo - Original Message - From: "Lucky Green" [EMAIL PROTECTED] To: "Cryptography@C2. Net" [EMAIL PROTECTED] Sent: Wednesday, August 16, 2000 4:00 PM Subject: RE: Using signature-only certs to authenticate key exchanges Enzo, Many applications that employ certs ignore key usage restrictions. This isn't your fault or the fault of the CA. It simply reflects a 'broken' implementation. IANAL, but I fail to see how you or your customers could be held responsible for applications that use certs in ways other than the cert was intended to be used by the issuer. [...]
Tipster voluntary payment protocol
"Tipster" is the name I'm using for the voluntary payment scheme I posted to the coderpunks and cypherpunks lists (among others) a few weeks ago under the title "Kill the RIAA: a protocol." http://www.inet-one.com/cypherpunks/dir.2000.07.24-2000.07.30/msg00387.html Since that post, I've set up a weblog to track the development of the protocol and related voluntary payment issues, and just tonight I finished the first draft of the cryptographic protocol which enables Tipster's authenticated connection mechanism. I would appreciate feedback. http://tipster.weblogs.com Thanks in advance. -Jeff -- -- |Jeff Kandt | "When cryptography is outlawed, bayl bhgynjf | |[EMAIL PROTECTED] | jvyy unir cevinpl!" -Brad Templeton of ClariNet | |[PGP Pub key: http://pgp.ai.mit.edu/pks/lookup?op=getsearch=0x6CE51904 | | or send a message with the subject "send pgp key"]| --