-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I think this thread has run its course and is sufficiently off topic for this
list, so I am declaring it closed.
Thank you
Tamzen
-BEGIN PGP SIGNATURE-
Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii
wj8DBQFSWDC65/HCKu9Iqw
On Oct 11, 2013, at 1:48 AM, ianG wrote:
...
> What's your goal? I would say you could do this if the goal was ultimate
> security. But for most purposes this is overkill (and I'd include online
> banking, etc, in that).
We were talking about how hard it is to solve crypto protocol problems
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 10/10/2013 6:40 PM, grarpamp wrote: > On Thu, Oct 10, 2013 at 11:58
AM, R. Hirschfeld wrote:
>> To send a prism-proof email, encrypt it for your recipient and
>> send it to irrefrangi...@mail.unipay.nl. Don't include any
>> information about
>>
On Thu, Oct 10, 2013 at 03:54:26PM -0400, John Kelsey wrote:
> Having a public bulletin board of posted emails, plus a protocol for
> anonymously finding the ones your key can decrypt, seems like a pretty decent
> architecture for prism-proof email. The tricky bit of crypto is in making
> access
On Thu, Oct 10, 2013 at 04:24:19PM -0700, Glenn Willen wrote:
> I am going to be interested to hear what the rest of the list says about
> this, because this definitely contradicts what has been presented to me as
> 'standard practice' for PGP use -- verifying identity using government issued
> ID
On 10/10/13 19:06 PM, John Kelsey wrote:
Just thinking out loud
The administrative complexity of a cryptosystem is overwhelmingly in key
management and identity management and all the rest of that stuff. So imagine
that we have a widely-used inner-level protocol that can use strong crypto
Reply to various,
Yes, the value in a given key signing is weak, in fact every link in the
web of trust is terribly weak.
However, if you notarize and publish the links in CT fashion then I can
show that they actually become very strong. I might not have good evidence
of John Gilmore's key at RSA
All,
Quick question, anyone got a good scheme for key stretching?
I have this scheme for managing private keys that involves storing them as
encrypted PKCS#8 blobs in the cloud.
AES128 seems a little on the weak side for this but there are (rare)
circumstances where a user is going to need to ty
On 2013-10-10 (283), at 19:24:19, Glenn Willen wrote:
> John,
>
> On Oct 10, 2013, at 2:31 PM, John Gilmore wrote:
>>
>> An important user experience point is that we should be teaching GPG
>> users to only sign the keys of people who they personally know.
[]
>> would be false and would u
Does anyone recollect the history behind and the implications of the
(open) SSH choice of 35 as a hard-wired public exponent?
key.c: private = RSA_generate_key(bits, 35, NULL, NULL);
i.e. 100011 binary compared to the more typical F4 10001 binary
Thanks,
Tim.
___
On 11/10/13 02:24 AM, Glenn Willen wrote:
John,
On Oct 10, 2013, at 2:31 PM, John Gilmore wrote:
... Signing them would assert to
any stranger that "I know that this key belongs to this identity", which
would be false and would undermine the strength of the web of trust.
Where is this writ
Glenn Willen writes:
>I am going to be interested to hear what the rest of the list says about
>this, because this definitely contradicts what has been presented to me as
>'standard practice' for PGP use -- verifying identity using government issued
>ID, and completely ignoring personal knowledge
grarpamp wrote:
> On Thu, Oct 10, 2013 at 11:58 AM, R. Hirschfeld wrote:
> > To send a prism-proof email, encrypt it for your recipient and send it
> > to irrefrangi...@mail.unipay.nl. Don't include any information about
> >
> > To receive prism-proof email, subscribe to the irrefrangible mailin
On 10/10/13 08:41 AM, Bill Frantz wrote:
We should try to characterize what "a very long time" is in years. :-)
Look at the produce life cycle for known crypto products. We have some
experience of this now. Skype, SSL v2/3 -> TLS 0/1/2, SSH 1 -> 2, PGP 2
-> 5+.
As a starting point, I wo
On 10/10/13 17:58 PM, Salz, Rich wrote:
TLS was designed to support multiple ciphersuites. Unfortunately this opened
the door
to downgrade attacks, and transitioning to protocol versions that wouldn't do
this was nontrivial.
The ciphersuites included all shared certain misfeatures, leading to t
On Thu, Oct 10, 2013 at 04:22:50PM -0400, Jerry Leichter wrote:
> On Oct 10, 2013, at 11:58 AM, "R. Hirschfeld" wrote:
> > Very silly but trivial to "implement" so I went ahead and did so:
> >
> > To send a prism-proof email, encrypt it for your recipient and send it
> > to irrefrangi...@mail.uni
On 10/10/2013 08:54 PM, John Kelsey wrote:
> Having a public bulletin board of posted emails, plus a protocol for
> anonymously finding the ones your key can decrypt, seems like a pretty decent
> architecture for prism-proof email. The tricky bit of crypto is in making
> access to the bulletin
I like the ideas, John.
The idea, and the protocol you sketched out, are a little reminiscent
of ZRTP ¹ and of tcpcrypt ². I think you can go one step further,
however, and make it *really* strong, which is to offer the "higher"
or "outer" layer a way to hook into the crypto from your inner layer.
On 10 October 2013 22:31, John Gilmore wrote:
>> Does PGP have any particular support for key signing parties built in or is
>> this just something that has grown up as a practice of use?
>
> It's just a practice. I agree that building a small amount of automation
> for key signing parties would
Saw this on Arstechnica today and thought I'd pass along the link.
http://arstechnica.com/security/2013/09/fatal-crypto-flaw-in-some-government-certified-smartcards-makes-forgery-a-snap/2/
More detailed version of the story available at:
https://factorable.net/paper.html
Short version: Taiwane
This is a job for a key derivation function or a cryptographic prng. I would
use CTR-DRBG from 800-90 with AES256. Or the extract-then-expand KDF based on
HMAC-SHA512.
--John
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metz
AES128, rather.
Sent from my iPhone
On Oct 11, 2013, at 11:26 AM, Phillip Hallam-Baker wrote:
> All,
>
> Quick question, anyone got a good scheme for key stretching?
>
> I have this scheme for managing private keys that involves storing them as
> encrypted PKCS#8 blobs in the cloud.
>
> AES
On 10/11/13 at 10:32 AM, zoo...@gmail.com (Zooko O'Whielacronx) wrote:
Don't try to study
foolscap, even though it is a very interesting practical approach,
because there doesn't exist documentation of the protocol at the right
level for you to learn from.
Look at the E language sturdy refs, w
On 2013-10-11, at 07:03, Tony Naggs wrote:
> On 10 October 2013 22:31, John Gilmore wrote:
>>> Does PGP have any particular support for key signing parties built in or is
>>> this just something that has grown up as a practice of use?
>>
>> It's just a practice. I agree that building a small
On Oct 11, 2013, at 11:26 AM, Phillip Hallam-Baker wrote:
> Quick question, anyone got a good scheme for key stretching?
>
> I have this scheme for managing private keys that involves storing them as
> encrypted PKCS#8 blobs in the cloud.
>
> AES128 seems a little on the weak side for this but
Dear Ray,
On 2013-10-11, at 19:38 , Ray Dillinger wrote:
> This is despite meeting (for some inscrutable definition of "meeting")
> FIPS 140-2 Level 2 and Common Criteria standards. These standards
> require steps that were clearly not done here. Yet, validation
> certificates were issued.
This
On 2013-10-11 12:03:44 +0100 (+0100), Tony Naggs wrote:
> Do key signing parties even happen much anymore? The last time I saw
> one advertised was around PGP 2.6!
[...]
Within more active pockets of the global free software community
(where OpenPGP signatures are used to authenticate release
arti
On Fri, Oct 11, 2013 at 10:32 AM, Zooko O'Whielacronx wrote:
> I like the ideas, John.
>
> The idea, and the protocol you sketched out, are a little reminiscent
> of ZRTP ¹ and of tcpcrypt ². I think you can go one step further,
> however, and make it *really* strong, which is to offer the "higher
Hi,
commented:
#An alternative I've been considering is having e-mail clients support
#bouncing messages if they are received for an incorrect envelope
#address. So you can have an envelope address and a PGP encrypted blob,
#and when you decrypt that blob there's a new RFC822 with a new envel
Phillip Hallam-Baker writes:
>Quick question, anyone got a good scheme for key stretching?
http://lmgtfy.com/?q=hkdf&l=1
Peter :-).
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
On 2013-10-11 15:48, ianG wrote:
Right now we've got a TCP startup, and a TLS startup. It's pretty
messy. Adding another startup inside isn't likely to gain popularity.
The problem is that layering creates round trips, and as cpus get ever
faster, and pipes ever fatter, round trips become a
Tim Hudson writes:
>Does anyone recollect the history behind and the implications of the (open)
>SSH choice of 35 as a hard-wired public exponent?
/* OpenSSH versions up to 5.4 (released in 2010) hardcoded e = 35, which is
both a suboptimal exponent (it's less efficient that a safer value lik
On 10/11/13 7:34 PM, Peter Gutmann wrote:
Phillip Hallam-Baker writes:
Quick question, anyone got a good scheme for key stretching?
http://lmgtfy.com/?q=hkdf&l=1
Yeah, that's a weaker simplification of the method I've always
advocated, stopping the hash function before the final
MD-strengt
33 matches
Mail list logo