--
James A. Donald
Let us imagine that SSH had certified keys. Well,
certifying a key is bound to be complicated, and
things are bound to go wrong, and the name that you
bind it to is bound to be somewhat shifty.
Ben Laurie
I don't see why that would happen all that much,
It
http://news.com.com/Browsers+to+get+sturdier+padlocks/2100-1029_3-5989633.html?tag=st.rn
The article is a bit long-winded and short on details, but the basic
message is simple: too many CAs have engaged in a price- and
cost-driven race to the bottom; there are thus too many certificates
being
At 03:34 PM 12/14/2005, [EMAIL PROTECTED] wrote:
An application programmer who is using PKCS1 doesn't even need to
know the small amount of ASN.1 in the spec... libraries that
implement RSA PKCS1 take care of the ASN.1 for the programmer.
This is in fact one reason that ASN.1 exploits
have
Steven M. Bellovin wrote:
The article is a bit long-winded and short on details, but the basic
message is simple: too many CAs have engaged in a price- and
cost-driven race to the bottom; there are thus too many certificates
being issued that aren't really trustworthy. A group of CAs and
--
From: Steven M. Bellovin
[EMAIL PROTECTED]
http://news.com.com/Browsers+to+get+sturdier+padlocks/
2100-1029_3-5989 633.html?tag=st.rn
The article is a bit long-winded and short on details,
Typical marketing bullshit.
but the basic message is simple: too many CAs
In message [EMAIL PROTECTED], James A. Donald writes:
--
Has anyone been attacked through a certificate that
would not have been issued under stricter security? The
article does not mention any such attacks, nor have I
ever heard of such an attack.
If no attacks, this is just an excuse
--
From: Steven M. Bellovin
[EMAIL PROTECTED]
The very first phishing attack I ever heard of was for
paypa1.com. As I recall, they did have a certificate.
And would they not have had a high assurance
certificate, since presumably they really were
papypa1.com?
Even if the
A small editorial from your moderator. I rarely use this list to
express a strong political opinion -- you will forgive me in this
instance.
This mailing list is putatively about cryptography and cryptography
politics, though we do tend to stray quite a bit into security issues
of all sorts, and
Higher assurance means that when the CA gets duped, it's even better
for the phishers, because that nice, reassuring green bar will be
there.
To preserve the internet channel as a means of communicating with
customers, we need to move to bookmarks, not email with clickable
URLs. That method is a
On 12/18/05, James A. Donald [EMAIL PROTECTED] wrote:
Even if the vendors do implement a policy that all new
urls must be significantly different from known high
value urls, which is not their stated policy, this is
not going to help much with such high value urls as:
David Mercer wrote:
Holy water indeed! As at least someone on this list doesn't seem to
see that there is a 'too many true names' problem, here are some
examples from the ssl sites I use (almost) daily. Second level
domains changed to protect the guilty (and url's chopped for safety):
part
Perry E. Metzger [EMAIL PROTECTED] writes:
A small editorial from your moderator. I rarely use this list to
express a strong political opinion -- you will forgive me in this
instance.
A couple of people have written to ask if they can forward on this
message elsewhere. Yes, I am happy with
| 2) the vast majority of e-commerce sites did very few number of
| transactions each. this was the market segment involving e-commerce
| sites that aren't widely known and/or represents first time business. it
| is this market segment that is in the most need of trust establishment;
| however, it
James A. Donald wrote:
--
Has anyone been attacked through a certificate that
would not have been issued under stricter security? The
article does not mention any such attacks, nor have I
ever heard of such an attack.
How much money does a phishing site make before it is forced to
At 10:58 AM 12/18/2005, Perry E. Metzger wrote:
The President claims he has the prerogative to order such
surveillance. The law unambiguously disagrees with him.
There are minor exceptions in the law, but they clearly do not apply
in this case. They cover only the 15 days after a declaration of
On 12/19/05 9:54 AM, [EMAIL PROTECTED] wrote:
Imagine a E-commerce front end: Instead of little-guy.com buying a cert
which you are supposed to trust, they go to e-commerce.com and pay for a
link. Everyone trusts e-commerce.com and its cert. e-commerce provides a
guarantee of some sort to
Bill Stewart [EMAIL PROTECTED] writes:
At 10:58 AM 12/18/2005, Perry E. Metzger wrote:
The President claims he has the prerogative to order such
surveillance. The law unambiguously disagrees with him.
There are minor exceptions in the law, but they clearly do not apply
in this case. They cover
In message [EMAIL PROTECTED], Perry E. Metzger writes:
I have been unable to find any evidence in the text of said
resolutions that they in any way altered or amended the law on this,
even temporarily. Perhaps it is the argument of the President's
lawyers that something analogous to a state of
James A. Donald wrote:
--
James A. Donald
Let us imagine that SSH had certified keys. Well,
certifying a key is bound to be complicated, and
things are bound to go wrong, and the name that you
bind it to is bound to be somewhat shifty.
Ben Laurie
I don't see why that would happen
Anytime someone wants to rewrite a C library in a language less prone
to buffer overflows, I'm totally for it. Some say that it's not the
library, it's the programmer, but I think that denies human factors.
C simply requires too much machinery on top of it to use it securely.
It is possible to
20 matches
Mail list logo
