Carl Ellison [EMAIL PROTECTED] writes:
The third annual PKI Research workshop CFP has been posted.
I note that it's still not possible to use PKI to authenticate submissions to
the PKI workshop :-).
(To those people who missed the original comment a year or two back, the first
PKI workshop
(To those people who missed the original comment a year or two back, the first
PKI workshop required that people use plain passwords for the web-based
submission system due to the lack of a PKI to handle the task).
Hey, but at least the password was protected by an SSL channel,
which was
--- begin forwarded text
Status: U
Date: Wed, 22 Oct 2003 14:45:24 +0200
From: Miguel Coca [EMAIL PROTECTED]
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
Mail-Followup-To: [EMAIL PROTECTED], [EMAIL PROTECTED]
User-Agent: Mutt/1.5.4i
Cc:
Subject: [Announce] GPA 0.7.0 released
List-Id: Help and
http://news.telegraph.co.uk/news/main.jhtml?xml=/news/2003/10/21/wid21.xmlsSheet=/news/2003/10/21/ixworld.html/news/2003/10/21/wid21.xml
The Telegraph
Liberty groups attack plan for EU health ID card
By Ambrose Evans-Pritchard in Brussels
(Filed: 21/10/2003)
The European Union took its first
I read the WYTM thread with great interest because it dovetailed nicely with some
research I am
currently involved in. But I would like to branch this topic onto something specific,
to see what
everyone here thinks.
As far as I can glean, the general consensus in WYTM is that MITM attacks are
Tom Otvos wrote:
As far as I can glean, the general consensus in WYTM is that MITM attacks are very
low (read:
inconsequential) probability. Is this *really* true?
The frequency of MITM attacks is very low, in the sense
that there are few or no reported occurrences. This
makes it a
So what purpose would client certificates address? Almost all of the use
of SSL domain name certs is to hide a credit card number when a consumer
is buying something. There is no requirement for the merchant to
identify and/or authenticate the client the payment infrastructure
On 10/22/2003 04:33 PM, Ian Grigg wrote:
The frequency of MITM attacks is very low, in the sense that there
are few or no reported occurrences.
We have a disagreement about the facts on this point.
See below for details.
This makes it a challenge to
respond to in any measured way.
We have a
At 05:08 PM 10/22/2003 -0400, Tom Otvos wrote:
The CC number is clearly not hidden if there is a MITM. I think the I
got my money so who cares
where it came from argument is not entirely a fair
representation. Someone ends up paying for
abuses, even if it is us in CC fees, otherwise why
Nobody doubts that it can occur, and that it *can*
occur in practice. It is whether it *does* occur
that is where the problem lies.
Or, whether it gets reported if it does occur.
The question is one of costs and benefits - how much
should we spend to defend against this attack? How
Tom Otvos wrote:
As far as I can glean, the general consensus in WYTM is that MITM
attacks are very low (read:
inconsequential) probability. Is this *really* true?
I'm not aware of any such consensus.
I suspect you'd get plenty of debate on this point.
But in any case, widespread exploitation of
Ian Grigg [EMAIL PROTECTED] writes:
Nobody doubts that it can occur, and that it *can*
occur in practice. It is whether it *does* occur
that is where the problem lies.
The question is one of costs and benefits - how much
should we spend to defend against this attack? How
much do we save
On Wed, Oct 22, 2003 at 05:08:32PM -0400, Tom Otvos wrote:
So what purpose would client certificates address? Almost all of the use
of SSL domain name certs is to hide a credit card number when a consumer
is buying something. There is no requirement for the merchant to
identify and/or
[EMAIL PROTECTED] (David Wagner) writes:
Tom Otvos wrote:
As far as I can glean, the general consensus in WYTM is that MITM
attacks are very low (read:
inconsequential) probability. Is this *really* true?
I'm not aware of any such consensus.
I will state that MITM attacks are hardly a
Tom Weinstein wrote:
Ian Grigg wrote:
Nobody doubts that it can occur, and that it *can* occur in practice.
It is whether it *does* occur that is where the problem lies.
This sort of statement bothers me.
In threat analysis, you have to base your assessment on capabilities,
not
Take many grains of salt before concluding that MITM attacks are either
hard or don't happen.
It is just that the environment for them is not the Internet per se, but
modern switched LANs. The basic trick to monitoring someone's LAN traffic
is to convince the ARP machinery that the MITM MAC is
Ian Grigg [EMAIL PROTECTED] writes:
In threat analysis, you base your assessment on
economics of what is reasonable to protect. It
is perfectly valid to decline to protect against
a possible threat, if the cost thereof is too high,
as compared against the benefits.
The cost of MITM
At 05:42 PM 10/22/2003 -0400, Tom Otvos wrote:
Absolutely true. If the only effect of a MITM is loss of privacy, then
that is certainly a
lower-priority item to fix than some quick cash scheme. So the threat
model needs to clearly
define who the bad guys are, and what their motivations are.
Ian Grigg wrote:
Tom Weinstein wrote:
In threat analysis, you have to base your assessment on capabilities,
not intentions. If an attack is possible, then you must guard against
it. It doesn't matter if you think potential attackers don't intend to
attack you that way, because you really don't
We've heard a bit recently from certain parties, especially Ian Grigg,
claiming that one should use a cost/benefit analysis before using
TLS. The claim seems to be that it provides more protection than one
really needs.
However, there are many perfectly free (in both senses) TLS
implementations,
Perry E. Metzger wrote:
Ian Grigg [EMAIL PROTECTED] writes:
In threat analysis, you base your assessment on
economics of what is reasonable to protect. It
is perfectly valid to decline to protect against
a possible threat, if the cost thereof is too high,
as compared against the
Ian Grigg [EMAIL PROTECTED] writes:
Perry E. Metzger wrote:
The cost of MITM protection is, in practice, zero.
Not true! The cost is from 10 million dollars to
100 million dollars per annum. Those certs cost
money, Perry!
They cost nothing at all. I use certs every day that I've
22 matches
Mail list logo
