Re: PGP Encryption Proves Powerful

2003-06-04 Thread Bill Stewart
At 11:38 AM 05/30/2003 -0700, John Young wrote: If the FBI cannot crack PGP that does not mean other agencies with greater prowess cannot. It is unlikely that the capability to crack PGP would be publicly revealed for that would close an invaluable source of information. . Still, it is

RE: Maybe It's Snake Oil All the Way Down

2003-06-04 Thread Peter Gutmann
Lucky Green [EMAIL PROTECTED] writes: I trust that we can agree that the volume of traffic and number of transactions protected by SSL are orders of magnitude higher than those protected by SSH. As is the number of users of SSL. The overwhelming majority of which wouldn't know ssh from telnet.

Re: New vs Old (was Snake Oil)

2003-06-04 Thread bear
On Tue, 3 Jun 2003 [EMAIL PROTECTED] wrote: I confess to being confused - though admittedly part of the blame for this is my own ignorance. I remember a time when PGP was a command line application. The only algorithms it used were IDEA (symmetric), RSA (assymetric) and MD5 (hash). I came to

Re: PGP Encryption Proves Powerful

2003-06-04 Thread Bill Stewart
At 08:17 AM 06/03/2003 -0700, bear wrote: what he said was with cryptanalysis alone. Rubber-hose methods are not cryptanalysis, and neither is password guessing. Eh? Password guessing certainly is. I'm not aware of a PGP port to the Psion, but at least the Psion 3/3a/3c generation were 8086-like

Re: Maybe It's Snake Oil All the Way Down

2003-06-04 Thread Bill Frantz
At 7:42 AM -0700 6/3/03, John Kelsey wrote: I keep wondering how hard it would be to build a cordless phone system on top of 802.11b with some kind of decent encryption being used. I'd really like to be able to move from a digital spread spectrum cordless phone (which probably has a 16-bit key

Re: Maybe It's Snake Oil All the Way Down

2003-06-04 Thread Anne Lynn Wheeler
On Tue, 2003-06-03 at 07:04, Peter Gutmann wrote: That's a red herring. It happens to use X.509 as its preferred bit-bagging format for public keys, but that's about it. People use self-signed certs, certs from unknown CAs [0], etc etc, and you don't need certs at all if you don't need them,

Re: Nullsoft's WASTE communication system

2003-06-04 Thread Steven M. Bellovin
The AP wire reports that the founder of Nullsoft, Justin Frankel, plans to resign in the wake of WASTE being pulled. http://www.nytimes.com/aponline/technology/AP-AOL-Nullsoft.html --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com

Re: New vs Old (was Snake Oil)

2003-06-04 Thread Bill Stewart
At 08:53 AM 06/03/2003 -0700, bear wrote: IDEA is still a good cipher as far as I know, but PGP has been driven away from it in the US due to intellectual-property issues. Rather than continue with incompatible versions for use inside/outside the USA, they're switching to CAST (although this is

Re: Maybe It's Snake Oil All the Way Down

2003-06-04 Thread Bill Stewart
At 11:38 AM 06/03/2003 -0400, Ian Grigg wrote: I (arbitratrily) define the marketplace for SSL as browsing. ... There, we can show statistics that indicate that SSL has penetrated to something slightly less than 1% of servers. For transmitting credit card numbers on web forms, I'd be surprised if

Re: Maybe It's Snake Oil All the Way Down

2003-06-04 Thread Eric Blossom
On Tue, Jun 03, 2003 at 06:17:12PM -0400, John Kelsey wrote: At 01:25 PM 6/3/03 -0700, Eric Blossom wrote: ... I agree end-to-end encryption is worthwhile if it's available, but even when someone's calling my cellphone from a normal landline phone, I'd like it if at least the over-the-air

Re: Maybe It's Snake Oil All the Way Down

2003-06-04 Thread Anne Lynn Wheeler
At 03:04 PM 6/3/2003 -0700, James A. Donald wrote: I never figured out how to use a certificate to authenticate a client to a web server, how to make a web form available to one client and not another. Where do I start? What I and everyone else does is use a shared secret, a password stored on

Re: Maybe It's Snake Oil All the Way Down

2003-06-04 Thread Ian Grigg
Tim Dierks wrote: At 09:11 AM 6/3/2003, Peter Gutmann wrote: Lucky Green [EMAIL PROTECTED] writes: Given that SSL use is orders of magnitude higher than that of SSH, with no change in sight, primarily due to SSL's ease-of-use, I am a bit puzzled by your assertion that ssh, not SSL, is