Freenet fork appears likely (was Re: Gmane -- Re: Why is Freenet so sick at the moment?)

2003-10-07 Thread Steve Schear
On Sat, Oct 04, 2003 at 11:31:36PM -0700, Ian Clarke spake thusly: I have never ever characterized Freenet as being anything other than in development. If you don't like the fact that Freenet is taking so-long to perfect, then either help, or use Earth Station 5 - I hear its great. You never

CCIA Microsoft report--the core issues

2003-10-07 Thread R. A. Hettinga
Wherin Carroll trashes Schneier a bit... Cheers, RAH --- http://zdnet.com.com/2102-1107_2-5086379.html?tag=printthis CCIA Microsoft report--the core issues By John Carroll Special to ZDNet October 6, 2003, 5:13 AM PT URL: http://zdnet.com.com/2100-1107-5086379.html COMMENTARY--The

Re: Other OpenSSL-based crypto modules FIPS 140 validated?

2003-10-07 Thread Peter Gutmann
Nathan P. Bardsley [EMAIL PROTECTED] writes: Anecdotally, I've heard that there are many, but almost all of them were done by vendors for embedding in their proprietary products. Ditto. The problem is that when vendors have spent $100K+ on the certification, they're very reluctant to give

Re: anonymity +- credentials

2003-10-07 Thread Anton Stiglic
- Original Message - From: Ian Grigg [EMAIL PROTECTED] [...] In terms of actual practical systems, ones that implement to Brands' level don't exist, as far as I know? There were however several projects that implemented and tested the credentials system. There was CAFE, an

Re: nCipher netHSM

2003-10-07 Thread Nicko van Someren
Ronald, I can confirm that there is no new code or hardware inside the cryptographic boundary as validated by FIPS compared to the most recent release of our PCI cards; all necessary changes to the HSM were put in before the last re-validation of the cards. The UI components themselves are

Re: NCipher Takes Hardware Security To Network Level

2003-10-07 Thread Perry E. Metzger
I was asked by someone to anonymously forward the following reply to Joshua Hill to the list. (Second time in a week, and on the same topic!) If you reply, please don't put my name in the reply -- this isn't my comment. --

Re: NCipher Takes Hardware Security To Network Level

2003-10-07 Thread Anton Stiglic
- Original Message - From: Peter Gutmann [EMAIL PROTECTED] [...] If you think that's scary, look at Microsoft's CryptoAPI for Windows XP FIPS 140 certification. As with physical security certifications like BS 7799, you start by defining your security perimeter, defining everything

Re: Protocol implementation errors

2003-10-07 Thread Markus Friedl
On Sat, Oct 04, 2003 at 05:58:49PM +1200, Peter Gutmann wrote: Bill Frantz [EMAIL PROTECTED] writes: This is the second significant problem I have seen in applications that use ASN.1 data formats. (The first was in a widely deployed implementation of SNMP.) Given that good, security

Re: Open Source (was Simple SSL/TLS - Some Questions)

2003-10-07 Thread Florian Weimer
Jill Ramonsky wrote: Example. You're a company. You build hardware devices which need to talk to each other securely. (Say, ATMs for example). Obviously it wouldn't make sense for that company to have to supply its ATM-using-customers with the source code of the ATMs. Who's the customer,

Re: Open Source (was Simple SSL/TLS - Some Questions)

2003-10-07 Thread Rich Salz
I took the initial view that closed source and trustable crypto are mutually incompatible Of course this isn't true. When is the last time you built your own ATM or credit-card POS terminal? Claims such as Download this app and you will be secure should definitely need to be proven, and

RE: Simple SSL/TLS - Some Questions

2003-10-07 Thread Jerrold Leichter
| From: Jill Ramonsky [EMAIL PROTECTED] | From: Ian Grigg [mailto:[EMAIL PROTECTED] | | The only question I wasn't quite sure of | was whether, if I take your code, and modify it, | can I distribute a binary only version, and keep | the source changes proprietary? | | You can't

Re: NCipher Takes Hardware Security To Network Level

2003-10-07 Thread Peter Gutmann
Anton Stiglic [EMAIL PROTECTED] writes: This is why you get requirements of the type that it should run on Windows in single-user mode, which I take to mean have only an admin account. This prevents privilege escalation attacks (regular user to root) that are easily done. I think this is

Re: Protocol implementation errors

2003-10-07 Thread Peter Gutmann
Markus Friedl [EMAIL PROTECTED] writes: On Sat, Oct 04, 2003 at 05:58:49PM +1200, Peter Gutmann wrote: We've already seen half the SSH implementations in existence taken out by the SSH malformed-packet vulnerabilities, I don't think so. According to the CERT advisory, roughly half of all

Re: NCipher Takes Hardware Security To Network Level

2003-10-07 Thread Anton Stiglic
- Original Message - From: Peter Gutmann [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, October 07, 2003 11:07 AM Subject: Re: NCipher Takes Hardware Security To Network Level Anton Stiglic [EMAIL PROTECTED] writes: This is why you get requirements of the

Re: Simple SSL/TLS - Some Questions

2003-10-07 Thread Ralf Senderek
On Mon, 6 Oct 2003, Ian Grigg wrote: (answering Jill's questions) The only question I wasn't quite sure of was whether, if I take your code, and modify it, can I distribute a binary only version, and keep the source changes proprietary? I'd strongly recommend to think about some code-signing

Re: Other OpenSSL-based crypto modules FIPS 140 validated?

2003-10-07 Thread Ben Laurie
Peter Gutmann wrote: Nathan P. Bardsley [EMAIL PROTECTED] writes: Anecdotally, I've heard that there are many, but almost all of them were done by vendors for embedding in their proprietary products. Ditto. The problem is that when vendors have spent $100K+ on the certification,

Re: Simple SSL/TLS - Some Questions

2003-10-07 Thread Anne Lynn Wheeler
At 08:38 PM 10/7/2003 -0400, Ian Grigg wrote: You are not being fair, Lynn, you are hijacking the name of TLS, in order to promote a protocol to protect credit cards. What you described was practically nothing to do with TLS/SSL... Such a protocol would be quite useful no doubt, but it has little