Re: Beware of /dev/random on Mac OS X
In message [EMAIL PROTECTED], Peter Hendrickson [EMAIL PROTECTED] wrote: Apple apparently only accepts bug reports from members of the Apple Developers Connection. If any such members are on this list, it might be a good idea to submit a report: https://bugreport.apple.com/cgi-bin/WebObjects/RadarWeb.woa Membership in ADC is available in both free and paid versions. You can set up an account for the free version at: http://connect.apple.com/ -- Shields. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: U.S. seeks OSCE pact on biometric passports
Anyone have any pointers to non destructive methods of rendering Smart Chips unreadable? Just curious. DCF On Mon, 1 Sep 2003, R. A. Hettinga wrote: http://dynamic.washtimes.com/print_story.cfm?StoryID=20030901-124025-4029r The Washington Times www.washingtontimes.com U.S. seeks OSCE pact on biometric passports By Nicholas Kralev Published September 1, 2003 VIENNA, Austria - The United States, seeking to keep out terrorists and other criminals, this week begins a major diplomatic effort to persuade 54 nations to adopt biometric standards when issuing passports to their citizens. Those standards, regulated by the International Civil Aviation Organization, require every passport to have a machine-readable chip containing the owner's digital photo, which is protected by a digital signature. The Bush administration, hoping to minimize the complexity of negotiating separate bilateral agreements with all countries in the world, plans to start with a multilateral accord among the 55 members of the Organization for Security and Cooperation in Europe (OSCE), U.S. diplomats said. It's a significant logistical job, Stephen M. Menekes, the U.S. ambassador to the Vienna, Austria-based organization, said in an interview. But it's here, all in place, ready to be used. Mr. Menekes said J. Cofer Black, the State Department's coordinator for counterterrorism, had the idea when he attended an OSCE conference in June, and he walked out of here convinced that this was the way to go. U.S. diplomats say they hope to sign an agreement at the Dec. 1-2 annual OSCE ministerial meeting in the Dutch city of Maastricht, which would give the event a sufficiently high profile to guarantee the presence of Secretary of State Colin L. Powell. Mr. Powell skipped the meeting last year because of more pressing responsibilities. What we are hopeful is to get a decision at the ministerial that all states will commit to at least begin issuing passports with biometric data by December 2005, said Katherine Brucker, a political officer at the U.S. mission to the OSCE. She noted that 21 of the OSCE members - most of them European Union states - are on the Visa Waiver program, which allows their citizens to enter the United States for short periods without first obtaining a visa at an American consulate overseas. They will be obligated to start issuing biometric passports by Oct. 26, 2004, if they want to stay in the program, she said. They already said it's moving in this direction. In a paper to its fellow OSCE members outlining its proposal, the United States said that restricting the movement of terrorists and organized criminals is imperative in the global fight against terror. The ability of criminals to forge travel documents - or to falsely obtain genuine ones - remains a serious and ongoing problem, says the document, a copy of which was given to The Washington Times. Harmonized travel document security measures and features among OSCE participating states would greatly enhance security throughout our region. More effective and harmonized issuance standards and controls, combined with bearer-specific security features, would greatly inhibit the movement of terrorists, it says. The Bush administration has been repeatedly accused abroad - particularly in Europe - of pursuing a unilateral foreign policy and bullying other nations into submitting to its wishes. But Miss Brucker said the administration is trying to identify ways a large multinational organization can actually do something useful in the war on terror, as in the case of OSCE. We've actually been quite successful, she said. The OSCE operates on consensus, and its decisions are only politically - not legally - binding, but countries do take them seriously. Soon after the September 11 attacks in 2001, the OSCE pledged to prevent the movement of terrorist individuals or groups through effective border controls and controls on issuance of identity papers and travel documents, as well as through measures for ensuring the security of identity papers and travel documents and preventing their counterfeiting, forgery or fraudulent use. Copyright © 2003 News World Communications, Inc. All rights reserved. Return to the article -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: invoicing with PKI
At 12:23 PM 9/1/2003 -0400, Ian Grigg wrote: 1. invoicing, contracting - no known instances 2. authentication and authorisation - SSL client side certs deployed within organisations. 3. payments 4. channel security (SSL) 5. email (OpenPGP, S/MIME) somewhat related thread in sci.crypt ... summary http://www.garlic.com/~lynn/2003l.html#33 RSA vs AES background http://www.garlic.com/~lynn/2003l.html#24 RSA vs AES http://www.garlic.com/~lynn/2003l.html#27 RSA vs AES http://www.garlic.com/~lynn/2003l.html#28 RSA vs AES http://www.garlic.com/~lynn/2003l.html#32 RSA vs AES when we were working with small client/server startup for payments http://www.garlic.com/~lynn/aadsm5.htm#asrn2 http://www.garlic.com/~lynn/aadsm5.htm#asrn3 we coined the term certificate manufacturing as part of doing due diligence on various commercial CAs ... to distinguish from PKI. we've also since claimed that proposal, effectively by SSL server certification business ... to have public keys registered as part of the domain name process goes a long way to both 1) improving the integrity of the domain name infrastructure and 2) provides basis for trusted, real-time public key distribution making SSL server certificates redundant and superfluous. http://www.garlic.com/~lynn/subpubkey.html#sslcerts One of the big issues with identity x.509 certificates from the early 90s was the quandary with 1) overloading a certificate with huge amounts of privacy information (hoping that its use by unknown relying parties at some point in the future would find something in the certificate useful and 2) the extremely onerous privacy issues with the spraying of such privacy information all over the world. Somewhat as a result, financial infrastructures dropped back to relying-party-only certificates something that effectively contained only the public key and the account number. http://www.garlic.com/~lynn/subtopic.html#rpo Somebody from Deutsche bank made a presentation in 1998 regarding having moved to relying-party-only certificates because of the enormous privacy and liability issues. However, since Duetsche bank had issued the certificate for the public key (and account), Duetsche bank already had the public key on file. There was actually nothing in the appended relying-party-only certificate that carried any information that Duetsche bank didn't already had on file (and the elimination of the requirement to append a certificate tended to remove a large payload penalty). It was relatively trivial to show for financial transactions that relying-party-only certificates were redundant and superfluous (i.e. the financial institution already has all the information so there is no reason to tack a certificate on to the end of every transaction or communication with the bank). The other issue ... somewhat highlighted by SET was that the payload penalty for certificates in the payment infrastructure was enormous ... a basic SET certificate possibly being two orders of magnitude larger than the basic payment message. As a result, SET typically was deployed for internet only operations with a gateway between the internet and the payment network performing the signature verification, stripping off the certificate and flagging the real payment transaction indicating that the signature had verified. First of all that violates one of the basic principles of end-to-end security. In fact, somebody from VISA presented some numbers in an ISO standards meetings about the transactions flowing through interchange with the signature verified flag set and they could prove that no digital signature technology was ever involved. The financial standards x9a10 working group was given the requirement to preserve the integrity of the financial infrastructure for all electronic retail payments (aka ALL as in internet, non-internet, point-of-sale, face-to-face, non-face-to-face, debit, credit, ach, stored-value, etc ... i.e. ALL). The result was a digital signed transaction that was lightweight enough that it would operate in all environments and didn't require the enourmous payload penalty of an appended certificate: http://www.garlic.com/~lynn/index.html#x959 NACHA tested a certificate-less digitally signed debit transaction in their Internet trials: http://www.garlic.com/~lynn/index.html#aadsnacha -- Anne Lynn Wheelerhttp://www.garlic.com/~lynn/ Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]