Re: [mm] delegating SSL certificates

2008-03-16 Thread Ben Laurie
Dirk-Willem van Gulik wrote: So I'd argue that while x509, its CA's and its CRL's are a serious pain to deal** with, and seem add little value if you assume avery diligent and experienced operational team -- they do provide a useful 'procedural' framework and workflow-guide which is in itself v

Re: delegating SSL certificates

2008-03-16 Thread Dirk-Willem van Gulik
On Mar 16, 2008, at 12:32 PM, Ben Laurie wrote: [EMAIL PROTECTED] wrote: So at the company I work for, most of the internal systems have expired SSL certs, or self-signed certs. Obviously this is bad. You only think this is bad because you believe CAs add some value. SSH keys aren't signed

Re: delegating SSL certificates

2008-03-16 Thread John Levine
>> So at the company I work for, most of the internal systems have >> expired SSL certs, or self-signed certs. Obviously this is bad. > >You only think this is bad because you believe CAs add some value. Presumably the value they add is that they keep browsers from popping up scary warning messag

Re: cold boot attacks on disk encryption

2008-03-16 Thread The Fungi
On Sat, Feb 23, 2008 at 05:09:29AM +1300, Peter Gutmann wrote: > There were commercial products that did this available some years > ago, they hooked into the Windows auth using a custom GINA DLL > (GINA = the Windows extensible login/authentication mechanism, > think PAM for Windows) and locked th

Re: RNG for Padding

2008-03-16 Thread William Allen Simpson
We had many discussions about this 15 years ago You usually have predictable plaintext. A cipher that isn't strong enough against a chosen/known plaintext attack has too many other protocol problems to worry about mere padding! For IPsec, we originally specified random padding with 1 traili

Re: delegating SSL certificates

2008-03-16 Thread Ben Laurie
[EMAIL PROTECTED] wrote: So at the company I work for, most of the internal systems have expired SSL certs, or self-signed certs. Obviously this is bad. You only think this is bad because you believe CAs add some value. SSH keys aren't signed and don't expire. Is that bad? -- http://www.apac

Re: delegating SSL certificates

2008-03-16 Thread Peter Gutmann
[EMAIL PROTECTED] writes: >I would think this would be rather common, and I may have heard about certs >that had authority to sign other certs in some circumstances... The desire to do it isn't uncommon, but it runs into problems with PKI religious dogma that only a CA can ever issue a certificat