Steven M. Bellovin wrote:
In message [EMAIL PROTECTED], Ian Grigg writes:
M Taylor wrote:
MITM is a real and valid threat, and should be
considered. By this motive, ADH is not a recommended
mode in TLS, and is also deprecated.
Ergo, your threat model must include MITM, and you
will
On Wed, 1 Oct 2003, Ian Grigg wrote:
M Taylor wrote:
Stupid question I'm sure, but does TLS's anonymous DH protect against
man-in-the-middle attacks? If so, how? I cannot figure out how it would,
Ah, there's the rub. ADH does not protect against
MITM, as far as I am aware.
DH is an open
On Wed, Oct 01, 2003 at 07:02:00PM -0700, bear wrote:
Heh. You looked at my mail headers, didn't you? Yes, I use pine -
primarily *because* of that property. It treats all incoming messages
as text rather than live code.
A protocol for text (as opposed to live code) requires compliant
From: bear [EMAIL PROTECTED]
Heh. You looked at my mail headers, didn't you? Yes, I use pine -
primarily *because* of that property. It treats all incoming messages
as text rather than live code.
BUGTRAQ in the last 3 years lists over 80 mails on pine - including
reference to this recently:
On Wednesday 01 October 2003 22:02, bear wrote:
No, it is not. You can make a hyperdocument that is completely
self-contained and therefore text, but that is not how HTML is
normally made. HTML can cause your machine to do things other than
display it, and to that extent it is code, not
slightly ranting, you might want to hit del now :)
Ian Grigg wrote:
What is written in these posts (not just the present one)
does derive from that viewpoint and although one can
quibble about the details, it does look very much from
the outside that there is an informal Cryptographers
Guild
perry wrote:
We could use more implementations of ssl and
of ssh, no question.
...more cleanly implemented and simpler to use
versions of existing algorithms and protocols...
would be of tremendous utility.
jill ramonsky replied:
I am very much hoping that you can answer both (a)
and (b)
Schu stressed that several layers of security will prevent hackers from
accessing the system. VeriSign will house the security servers in its own
hosting centers. The company will ask military personnel to use their
Common Access Cards--the latest form of ID for the military--to access
the
Thanks everyone for the SSL encouragement. I'm going to have a quick
re-read of Eric's book over the weekend and then start thinking about
what sort of easy to use implementation I could do. I was thinking of
doing a C++ implentation with classes and templates and stuff. (By
contrast OpenSSL
Paul Kocher quote at the bottom...
Cheers,
RAH
---
http://www.hollywoodreporter.com/thr/article_display.jsp?vnu_content_id=1991585
The Hollywood Reporter
Oct. 02, 2003
Speciality film heads meet to respond to MPAA
By Gregg Kilday
The MPAA may have hoped to create a nonproliferation
| Can be relied on to _only_ deliver text is a valuable and important
| piece of functionality, and a capability that has been cut out of too
| many protocols with no replacement in sight.
While I agree with the sentiment, the text/code distinction doesn't capture
what's important.
Is HTML
--- begin forwarded text
Status: U
From: James A. Donald [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Date: Wed, 1 Oct 2003 23:37:08 -0700
Subject: Return of the death of cypherpunks.
Sender: [EMAIL PROTECTED]
--
When a mailing list is full of crap, it dies, even though the
regulars set
Bear wrote:
DH is an open protocol; it doesn't rely on an initial shared
secret or a Trusted Authority.
There is a simple proof that an open protocol between anonymous
parties is _always_ vulnerable to MITM.
Put simply, in an anonymous protocol, Alice has no way of knowing
whether she
On Thu, Oct 02, 2003 at 02:21:29PM +0100, Jill Ramonsky wrote:
Thanks everyone for the SSL encouragement. I'm going to have a quick
re-read of Eric's book over the weekend and then start thinking about
what sort of easy to use implementation I could do. I was thinking of
doing a C++
Perry E. Metzger [EMAIL PROTECTED] writes:
Guus Sliepen [EMAIL PROTECTED] writes:
In that case, I don't see why you don't bend your efforts towards
producing an open-source implementation of TLS that doesn't suck.
We don't want to program another TLS library, we want to create a VPN
Simon Josefsson [EMAIL PROTECTED] writes:
Several people have now suggested using TLS, but nobody seem to also
refute the arguments made earlier against building VPNs over TCP, in
http://sites.inka.de/~bigred/devel/tcp-tcp.html.
Well, I agree, the most reasonable thing to do is to use ipsec,
Peter has raised a number of important points. Let me start by saying that
I do not see a strong distinction between a file to be viewed and a
program. Both are instructions to the computer to perform some actions.
While we might think the renderer showing us flat ASCII text is quite
bear wrote:
You can have anonymous protocols that aren't open be immune to MITM
True.
And you can have open protocols that aren't anonymous be immune to
MITM.
True.
But you can't have both.
False. In fact, it is possible to prove the existence of at least one open and
anonymous
At 8:32 PM -0700 10/1/03, Matt Blaze wrote:
It might be debatable whether only licensed electricians should
design and install electrical systems. But hardly anyone would argue
that electrical system designers and installers needn't be competent
at what they do. (Perhaps most of those who would
Guus Sliepen wrote:
Some advice on licensing wouldn't go amiss either. (GPL? ... LGPL? ...
something else?)
I'd say LGPL or BSD, without any funny clauses.
With crypto code, we have taken the view that it
should BSD 2 clause. The reason for this is that
crypto code has enough other
20 matches
Mail list logo