ADMIN: the list...
No, I'm not dead, I've just been extremely delinquent in moderating the list. I should be sending out the queued messages that are still relevant over the next few days, and then we'll be back to normal. Perry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Fwd: Re: Non-repudiation (was RE: The PAIN mnemonic)]
At 11:42 07/01/2004 -0800, Ed Gerck wrote: Jerrold Leichter wrote: Now that we've trashed non-repudiation ... Huh? Processes that can be conclusive are useful and do exist, I read here, in the legal domain. It may not be so clear how such processes can exist in the technical domain and that's why I'm posting ;-) just how is it different from authentication? Using an information theory model, it's clear that authentication needs one channel of information (e.g., the CA's public key, the password list) in addition to the signal (e.g., a signed message, a username/password entry). Authentication rests on the information channel being trusted (i.e., independently verifiable). In this model, non-repudiation is different because it needs at least one additional out-of-band signal (where authenticated absence of the signal is also effective). BTW, that's why digital signatures per se are repudiable -- there's no second, out-of-band signal. An additional technical difference is that authentication promotes strength of evidence while non-repudiation promotes lack of repudiation of evidence. The latter is intuitively recognized to be stronger because a single, effective denial of an act can rebuke any number of strong affirmations. This also means, intuitively, that another difference exists. Non-repudiation should be harder to accomplish than authentication (you want more, you need to pay more). However, to the extent that the process *can be* conclusive, non-repudiation may be worth it. Imagine the added costs, time and hassle (going back to a real-world comparison) if your bank would have to call you to confirm payment for every check you sign? This would be the case if paying a check could not be cast as a conclusive process for the bank (i.e., without the possibility of an irrebuttable presumption of payability). In the UK, but not in other countries, there is a statutory rule which prevents a bank from debiting a customer's account with a forged cheque (if you will forgive the British spelling), with only very limited exceptions. If the customer repudiates a signature, it is for the bank to prove the genuineness of the signature, or suffer the loss. My bank has once or twice telephoned to check the genuineness of an unusual transaction, though this over a period of many years. This is not to disagree with your comments, but to observe that existing paper systems can work satisfactorily without non-repudiation rules. There are obvious advantages to some parties in such systems if it adopts a non-repudiation rule, probably matched with corresponding disadvantages for others. The change from paper to electronic systems of course also alters the balance of risks and the approach of banks to non-repudiation rules. I and colleagues have written about this at: http://elj.warwick.ac.uk/jilt/00-3/bohm.html Regards Nicholas Bohm Salkyns, Great Canfield, Takeley, Bishops Stortford CM22 6SX, UK Phone01279 871272(+44 1279 871272) Fax020 7788 2198(+44 20 7788 2198) - please note new fax number Mobile07715 419728 (+44 7715 419728) PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint: 9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07 PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF
PGP Corporation Releases PGP Universal 1.1 with Expanded Capabilities for Enterprise Secure Messaging
http://home.businesswire.com/portal/site/google/index.jsp?ndmViewId=news_viewnewsId=20040126005200newsLang=en All Headlines January 26, 2004 08:30 AM US Eastern Timezone PGP Corporation Releases PGP Universal 1.1 with Expanded Capabilities for Enterprise Secure Messaging PALO ALTO, Calif.--(BUSINESS WIRE)--Jan. 26, 2004-- PGP Corporation's Product Enhancements Add Capability for Microsoft Exchange Server Users, Incorporate S/MIME and X.509 Messaging Standards, LDAP Directories, and Mac OS X Support PGP Corporation, the global leader in digital information security, today announced a new version of its PGP(R) Universal product. This new product extends the world's first enterprise security architecture to a broader user base and allows improved interfacing with existing email security infrastructures. PGP Universal Server shifts the burden of securing email messages and attachments from the desktop to the network in a way that is automatic and entirely transparent to users. The product line is actively being used by large enterprises worldwide. PGP Universal Server is an award-winning solution, having received the VARBusiness Technology Innovation Editor's Choice Award, and was recently featured in Information Security magazine. The PGP Universal product line focuses on the three A's, said Phillip Dunkelberger, President and CEO of PGP Corporation. First, we automate processes (encryption, digital signatures, key management) to make email security simple and easy; second, we aggregate tasks and functions (desktop and network email security, PKI infrastructure) under a single architecture to make systems management more effective; and third, we accelerate an enterprise's ability to quickly and inexpensively deploy secure messaging to all critical employees and external partners. The Product PGP Universal Server 1.1 includes significant feature enhancements to the product line, first introduced in September 2003, simplified installation for IT administrators and a new pricing structure. Key functional enhancements in PGP Universal 1.1 include: S/MIME and X.509 support -- PGP Universal Server 1.1 now supports S/MIME messages and X.509 certificates in addition to OpenPGP keys and messages. This capability allows PGP Universal to interoperate with PKI deployments, easily adding email security to existing PKI investments. Microsoft Exchange MAPI support -- PGP Universal Satellite now supports Microsoft Outlook users who use MAPI to connect to Microsoft Exchange Server, providing both gateway and end-to-end email security. PGP Universal Satellite Mac OS X -- PGP Universal Satellite now supports Mac OS X as well as Windows clients. LDAP Directory Synchronization -- PGP Universal Server 1.1 now automatically synchronizes with popular directory servers, including Active Directory and Exchange Groups, allowing customers to apply security policy only to LDAP defined users. PGP Universal Web Messenger Inbox -- PGP Universal Web Messenger now displays a full webmail-style secure Inbox for messages received by external users. PGP Universal Web Messenger attachments and HTML -- PGP Universal Web Messenger now supports sending and receiving of attachments as well as display of HTML content, including inline images. PGP Universal Web Messenger Internationalization -- PGP Universal Web Messenger is now automatically internationalized for users in French, German, Japanese and Spanish. PGP Universal Web Messenger load balancing -- PGP Universal Web Messenger now load balances services between clustered PGP Universal Servers designated as PGP Universal Web Messenger servers. Architecture Goals Added Mr. Dunkelberger: Our technology vision begins with secure email, then expands to include all enterprise digital information. In the future, we will extend PGP Universal technology to also secure instant messaging, mobile devices, stored local and network data, CRM and ERP records, and all other digital information that can be proxied at the transport level. PGP Universal Server is the foundation on which we will build this future. PGP Universal Server 1.1 further addresses the myriad needs and goals of a wide range of users within the enterprise: For Executive and Business Management: User transparency; automatic central security policy; two-way policy enforcement; digital signatures; immediate, incremental, and scalable deployment; and low cost of ownership. For Network, Email, and IT Management: Implementation; interoperability and standards compatibility; certificate and message format compatibility; self-managing security architecture; incremental deployment. For Information Security Management: Central, two-way security policy management; network-based policy enforcement; self-managing security architecture; single solution; keyless recipient management; certificate- and message format-agnostic; additional decryption keys (ADKs); and trusted technology foundation. PGP Universal Relieves
FYI: 3 qubits encrypted
Apparently, it is as hard (or harder) to produce random qubits as random bits. There are some sentences in this article that don't make sense so I am guessing the author doesn't really understand the subject. From: http://www.trnmag.com/Stories/2004/011404/Quantum_dice_debut_011404.htm l ...random operators would be useful for quantum communications tasks like encryption, said Emerson. The idea is to randomize a specific configuration of qubits containing the message, and then transmit this randomized state, he said...The researchers tested the method on a three-qubit prototype liquid nuclear magnetic resonance (NMR) quantum computer. -Michael Heyman - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Diffie Optimistic About Secure Computing Future
http://www.internetwk.com/shared/printableArticle.jhtml?articleID=17501559 Diffie Optimistic About Secure Computing Future By Paul Kapustka, NetworkingPipeline, InternetWeek Jan 27, 2004 (1:00 AM) URL: http://www.internetweek.com/story/showArticle.jhtml?articleID=17501559 Even as the MyDoom worm continued its spread around the Internet, noted cryptographer Whitfield Diffie was waxing optimistic about the future of secure computing, saying that technological advancements and better networking infrastructures would solve many security problems in the near future. Diffie, whose biography describes him as the discoverer of the concept of public key cryptography, used his keynote speech at the Comnet trade show here Tuesday to outline several advancements in computing that he said would make the future more secure in the near future, a list that included cheaper and better hardware, and software and hardware verification techniques that would allow for greater trust between connected systems. I'm optimistic that we are going to solve a lot of the secure computing problems in the next few years, said Diffie, who is chief security officer at Sun Microsystems. Widely available cryptography products, combined with cheaper, faster computing hardware will greatly reduce security problems, Diffie said. Users will have more powerful tools to work with, he added. Software and hardware verification methods, Diffie said, will also mature rapidly, allowing users to perform the networking equivalent of credit checks on the systems and software they interconnect with. Viruses like the MyDoom program, he said, take advantage of the lazy programming methods of the past, where programs are written to perform many functions, instead of discrete tasks. One of the problems with [Microsoft] Outlook is that it makes more tasks possible than it should, Diffie said. Administrators and developers, he said, could reduce such risks by determining the scope of tasks that are necessary, and tailoring programs or networks to limit the ability of hackers to perform destructive tasks. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Canon's Image Data Verification Kit DVK-E2 ?
Hi, Canon provides a so called Data Verification Kit which allegedly allows to detect whether a digital image has been tampered with since it has been taken with a digital camera. I found the announcement at http://www.dpreview.com/news/0401/04012903canondvke2.asp They say: How it works The kit consists of a dedicated SM (secure mobile) card reader/writer and verification software. When the appropriate function (Personal Function 31) on the EOS-1D Mark II or EOS-1Ds is activated, a code based on the image contents is generated and appended to the image. When the image is viewed, the data verification software determines the code for the image and compares it with the attached code. If the image contents have been manipulated in any way, the codes will not match and the image cannot be verified as the original. So some kind of hash code or digital signature is generated. Does anybody know details about this? I never heard that there are digital mass market cameras which could generate digital signatures. But if the signature is generated inside the SM card only, why should the PC where the image was modified be unable to write the modified image the same way as a digital camera writes an unmodified one? (And, btw., how do they detect that the picture was taken at a real scene and is not a repro of a modified and printed picture?) I guess the secure mobile card generates some signature and they presume that the attacker would not have access to the memory card. This would start to protect the image not from the moment it had been taken, but from the moment when it was copied from the card to other media. And it would require to trust the photographer. Is there a technical description of those secure mobile cards available? I didn't find any details, just marketing blabla. regards Hadmut - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[CSL Colloq] The Architecture of Colossus, the first PC * 4:15PM, Wed February 04, 2003 in Gates B03 (fwd)
[Note: Webcasts available live and from archives] -- Forwarded message -- Date: Fri, 30 Jan 2004 00:23:31 -0800 From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [CSL Colloq] The Architecture of Colossus, the first PC * 4:15PM, Wed February 04, 2003 in Gates B03 COMPUTER SYSTEMS LABORATORY COLLOQUIUM 4:15PM, Wednesday, February 04, 2003 NEC Auditorium, Gates Computer Science Building B03 http://ee380.stanford.edu[1] Topic:The Architecture of Colossus, the first PC Speaker: Benjamin Wells University of San Francisco About the talk: Colossus, the first electronic digital computer, was built by Tommy Flowers at the General Post Office Research Station in Dollis Hill, London. It was installed during December 1943 at Bletchley Park, the famous WWII British code-cracking enclave. Its purpose was to assist with the decryption of wireless traffic among German high-level commands encrypted using the Lorenz teletype cipher machine. Called Colossus because of its size, it could be run by a single operator --and often was. At least in that sense, it was also the world's first personal computer. Bletchley had already developed a highly successful automated attack on the Enigma cipher system under the guidance and genius of Alan Turing. Built without direct input from Turing, Colossus was designed to support the cracking of the highest volume of German strategic code transmissions. These intelligence-rich messages were thousands of characters long, overshadowing the hand-encoded tactical traffic using Enigma. Because Colossus was kept secret until 1973, and full details of its use and construction were not released until 2000, it did not play a direct role in the evolution of digital computers. Of course, many who worked on it were involved with later computers. With the release of previously classified documents, interest in Colossus has grown over the last three years. This accessible, multimedia talk will compare the architectural features of Colossus with those of modern PCs. Although it is tempting to assert that the former was a stored-program general purpose machine, as some have done in print, that analysis is less than promising. What is amazing is that Colossus introduced buffered I/O, branch decisions, biquinary representation, and bit masking, and anticipated some deeper modern features: parallelism, dual rail, hardware interrupt, shift register, asynchronous dataflow, and plug-ins. Moreover, recent results (AMS Abstracts 04T-68-2) show that a universal Turing machine could have been implemented on a cluster of the ten Colossi, proving the power of Colossus. About the speaker: Benjamin Wells teaches both mathematics and computer science courses at the University of San Francisco, including freshman seminars that combine science and art. He holds degrees from MIT and UC Berkeley and has studied in four countries. The last student of noted logician Alfred Tarski, Wells works on the boundary of logic, algebra, and computing; he also contributes to computer graphics and visual communication. He won a John Templeton Foundation science and religion course prize in 1998 and held the USF Davies Professorship in 1989. He enjoys mysticism, cooking, computer-supported art, hiking, languages, dancing, tales, and family. Contact information: Benjamin Wells Professor of Mathematics and Computer Science University of San Francisco [EMAIL PROTECTED] Embedded Links: [ 1 ]http://ee380.stanford.edu [ 2 ]mailto:[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
DIMACS Workshop on Electronic Voting -- Theory and Practice
* DIMACS Workshop on Electronic Voting -- Theory and Practice May 26 - 27, 2004 DIMACS Center, Rutgers University, Piscataway, NJ Organizers: Markus Jakobsson, RSA Laboratories, [EMAIL PROTECTED] Ari Juels, RSA Laboratories, [EMAIL PROTECTED] Presented under the auspices of the Special Focus on Communication Security and Information Privacy and the Special Focus on Computation and the Socio-Economic Sciences.. To many technologists, electronic voting represents a seemingly simple exercise in system design. In reality, the many requirements it imposes with regard to correctness, anonymity, and availability pose an unusually thorny collection of problems, and the security risks associated with electronic voting, especially remotely over the Internet, are numerous and complex, posing major technological challenges for computer scientists. (For a few examples, see references below.) The problems range from the threat of denial-of-service-attacks to the need for careful selection of techniques to enforce private and correct tallying of ballots. Other possible requirements for electronic voting schemes are resistance to vote buying, defenses against malfunctioning software, viruses, and related problems, audit ability, and the development of user-friendly and universally accessible interfaces. The goal of the workshop is to bring together and foster an interplay of ideas among researchers and practitioners in different areas of relevance to voting. For example, the workshop will investigate prevention of penetration attacks that involve the use of a delivery mechanism to transport a malicious payload to the target host. This could be in the form of a ``Trojan horse'' or remote control program. It will also investigate vulnerabilities of the communication path between the voting client (the devices where a voter votes) and the server (where votes are tallied). Especially in the case of remote voting, the path must be ``trusted'' and a challenge is to maintain an authenticated communications linkage. Although not specifically a security issue, reliability issues are closely related and will also be considered. The workshop will consider issues dealing with random hardware and software failures (as opposed to deliberate, intelligent attack). A key difference between voting and electronic commerce is that in the former, one wants to irreversibly sever the link between the ballot and the voter. The workshop will discuss audit trails as a way of ensuring this. The workshop will also investigate methods for minimizing coercion and fraud, e.g., schemes to allow a voter to vote more than once and only having the last vote count. This workshop is part of the Special Focus on Communication Security and Information Privacy and will be coordinated with the Special Focus on Computation and the Socio-Economic Sciences. This workshop follows a successful first WOTE event, organized by David Chaum and Ron Rivest in 2001 at Marconi Conference Center in Tomales Bay, California (http://www.vote.caltech.edu/wote01/). Since that time, a flurry of voting bills has been enacted at the federal and state levels, including most notably the Help America Vote Act (HAVA). Standards development has represented another avenue of reform (e.g., the IEEE Voting Equipment Standards Project 1583), while a grassroots movement (http://www.verifiedvoting.org) has arisen to promote the importance of audit trails as enhancements to trustworthiness. ** Participation: Interested participants may contact the organizers. ** Registration Fees: (Pre-registration deadline: May 20, 2004) Regular Rate Preregister before deadline $120/day After preregistration deadline $140/day Reduced Rate* Preregister before deadline $60/day After preregistration deadline $70/day Postdocs Preregister before deadline $10/day After preregistration deadline $15/day DIMACS Postdocs $0 Non-Local Graduate Undergraduate students Preregister before deadline $5/day After preregistration deadline $10/day Local Graduate Undergraduate students $0 (Rutgers Princeton) DIMACS partner institution employees** $0 DIMACS long-term visitors*** $0 Registration fee to be collected on site, cash, check, VISA/Mastercard accepted. Our funding agencies require that we charge a registration fee during the course of the workshop. Registration fees include participation in the workshop, all workshop materials, breakfast, lunch, breaks and any scheduled social events (if applicable). * College/University faculty and employees of nonprofit and government organizations will automatically receive the reduced rate. Other participants may apply for a reduction of fees. They should email their request for the
[IP] China Mandates Closed Security Standard
Of interest to security folks... From Dave Farber's IP list.. - Begin Forwarded Message - Date: Tue, 03 Feb 2004 18:33:18 -0500 From: Dave Farber [EMAIL PROTECTED] China Mandates Closed Security Standard The Wi-Fi Alliance and IEEE were apparently taken by surprise when the Chinese government's regulatory arm announced that only devices that included WAPI (Wired Authentication and Privacy Infrastructure) would be legal to sell in China after Dec. 1, 2003. That was the first most companies and individuals had heard of WAPI, which is a home-grown replacement for the broken WEP (Wired Equivalent Privacy) standard that in the rest of the world is being replaced by WPA (Wi-Fi Protected Access) and IEEE 802.11i (due to be finished in 2004). The Chinese apparently didn't want to wait for WPA or 802.11i, and have mandated WAPI on new equipment. Existing gear doesn't have to be trashed, and companies with contracts to deliver equipment that extended past Dec. 1 were allowed to continue to deliver it. Only a handful of Chinese companies are licensed to include WAPI in their equipment, which may force non-Chinese vendors to partner to continue to sell into a growing market. What's worse, WAPI is confidential. It hasn't been openly discussed or tested, and given the nature of China's monitoring of other forms of communication, it's likely that the standard includes a method for interception of ostensibly encrypted traffic. - Archives at: http://www.interesting-people.org/archives/interesting-people/ - End Forwarded Message - --- Gregory Hicks| Principal Systems Engineer Cadence Design Systems | Direct: 408.576.3609 555 River Oaks Pkwy M/S 6B1 | Fax: 408.894.3400 San Jose, CA 95134 | Internet: [EMAIL PROTECTED] The trouble with doing anything right the first time is that nobody appreciates how difficult it was. When a team of dedicated individuals makes a commitment to act as one... the sky's the limit. Just because We've always done it that way is not necessarily a good reason to continue to do so... Grace Hopper, Rear Admiral, United States Navy - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Did American slaves use steganography?
Two historians say African American slaves may have used a quilt code to navigate the Underground Railroad. Quilts with patterns named 'wagon wheel,' 'tumbling blocks,' and 'bear's paw' appear to have contained secret messages that helped direct slaves to freedom, the pair claim. http://news.nationalgeographic.com/news/2004/02/0205_040205_slavequilts.html CCH - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Ancient clay stamp seals and sealings of Sri Lanka
http://www.sundayobserver.lk/2004/02/08/fea20.html Sunday, 8 February 2004 Online edition of Sunday Observer - Business Ancient clay stamp seals and sealings of Sri Lanka by Rajah M. Wickremesinghe The world's oldest clay stamp seal had been unearthed in 1990 in the ancient Mesopotamian city of Ur. This city was situated in Southern Iraq along the river Euphrates, below present day Baghdad. The seal is attributed to a king of the 1st dynasty of Babylon circa 2550 BC. Sarah Kielt has in her work expressed the opinion that the various types of seals discovered by archaeologists can be dated from as far back as 6000 BC particularly in the ancient civilisations of the Near East. Roger J. Mathews identifies such seals as stamp, cylinder, and tablet, the last named bearing a seal impression on both sides. A stamp seal could even have been attached to a ring and has only one impression impression as opposed to a cylinder seal which had multiple imprints on it. The latter were utilized by rolling them on to wet clay. Cylinder seals have an aperture running through the centre in its entire length, facilitating being rolled. They could also be worn round the owners neck to make it secure. It is accepted by archaeologists that cylinder seals had been invented in Southern Mesopotamia around 3500 BC. Seals provide important evidence similarly to coins, for the re-construction of ancient socio-economic history of a region. Many active trading and administrative centres of ancient civilisations have yielded seals and sealings of clay in very large numbers. This has enabled the uncovering of their hidden secrets. Seals had initially been used for accounting and later as Temple records, for administration purposes and lastly as trading receipts. In the Near East it is observed that the advent of coins was centuries after the use of seals. However, in Sri Lanka we note that in Ruhuna a unique lead coinage inscribed in Brahmi appears simultaneously with seals and clay sealings. A sealing is the impression of a seal pressed on wet clay, its usage similar to that in modern times, when sealing wax is placed over a knot, in the instance string is used to secure a parcel or package. In ancient times a lump of clay was pressed over the knot of string or strapping securing packages or bundles and then marked with the senders seal which was his stamp of ownership. Sealings were also used when the mouth of jars or containers were covered with woven material and secured with a string. In Mesopotamia they were in addition used to securing containers, jars, baskets, sacks, leather bags and also door ways and lids of boxes. The clay sealing 32x30 mm (fig. 1) bearing the legend 'Maharaja Gamini Tissaha Devanampiya' in Nagari Script meaning 'of the great king Gamini Tissa the beloved of the Gods' was found by a villager cultivating his land in Akurugoda in Tissamaharama in 1989. In 'Ruhuna an ancient civilisation revisited' co-authored by O. Bopearachchi and the writer it is attributed to king Saddhatissa 77 - 59 BC. This at present is the oldest attested clay sealing found in the island. At the centre of the seal is a railed swastika with the above noted legend distributed on the three sides excluding the base. Two other sealings also of the same provenance are illustrated (Figs. II and III). One depicts the foreparts of two lions each facing opposite directions with outstretched fore legs and the other a lion and elephant similarly joined. Both sealings have distinct legends in Brahmi. The three sealings described above are not trade sealings. They have no impressions of string at the back and could be identified as having been used only for an administrative purpose. This places these three sealings apart from all other sealings described. Clay trade sealings Fig. IV depicts a sealing with evidence of a securing device (appearing to be a strap and not string at the back) and bears a large railed swastika 68x58 mm. with an indistinct Brahmi legend on the outer edge. This presently is the largest trade sealing found in the Island. Fig. V is of a unique clay sealing yet unpublished, found in Niyadella in Ruhuna in 1996 where figures similar to those found on Roman coins of the early Christian era, are clearly visible in the three separate stamps on the sealing. On the reverse instead of a string it depicts the design of a woven reed mat on which the seal has been placed. Another clay sealing depicting the head of a Roman soldier similar to those on 3rd century brass Roman coins had been found in Tissamaharama in 1989. Over 30 stamp sealings recording trade had been found in Akurugoda, depicting male and female figures, lions, elephants, bulls and humped bulls both standing and seated, wild boar, fishes, and one in which one animal appears to be attacking another astride its back. Illustrated are clay trade sealings with clear evidence of string used for securing - 'A' an elephant (the
[Publicity-list]: DIMACS Workshop on Usable Privacy and Security Software
* DIMACS Workshop on Usable Privacy and Security Software July 7 - 8, 2004 DIMACS Center, Rutgers University, Piscataway, NJ Organizers: Lorrie Cranor, Chair, Carnegie Mellon University, [EMAIL PROTECTED] Mark Ackerman, University of Michigan, [EMAIL PROTECTED] Fabian Monrose, Johns Hopkins University, [EMAIL PROTECTED] Andrew Patrick, NRC Canada, [EMAIL PROTECTED] Norman Sadeh, Carnegie Mellon University, [EMAIL PROTECTED] Presented under the auspices of the Special Focus on Communication Security and Information Privacy. This workshop and working group is intended to bring together security and privacy experts with human-computer interaction experts to discuss approaches to developing more usable privacy and security software. The workshop sessions on July 7 and July 8 will include invited talks and discussion. July 9 will feature a working group of invited participants who will spend the day identifying important problems, discussing some of the research issues raised during the workshop in more depth, and brainstorming about approaches to future research, collaboration, and more user-centered design of security and privacy software. ** Participation: Participation in the workshop is open to anyone who registers (no submission necessary). Participation in the working group on July 9 is limited because of the emphasis on achieving a high degree of interactivity and discussion. Workshop participants who are interested in participating in the working group session should send a 1-page abstract or position paper describing their work relevant to this workshop to [EMAIL PROTECTED] Abstracts and position papers should be submitted in plain text, HTML, or PDF formats only. All submissions must be received by April 2, 2004 and authors will be notified by April 19, 2004 as to whether they have been accepted to participate in the working group. In addition, the authors of some submissions will be invited to present 10-minute short talks about their work. Submissions may describe ongoing or planned work related to the development of usable interfaces for security or privacy software, or they may discuss important research problems or propose a research agenda in this area. Submissions are especially encouraged that identify security and privacy areas in need of examination by HCI researchers, as well as areas where HCI researchers would like assistance from security and privacy researchers. ** Registration Fees: (Pre-registration deadline: June 30, 2004) Please see website for registration fees and details. * Information on participation, registration, accomodations, and travel can be found at: http://dimacs.rutgers.edu/Workshops/Tools/ **PLEASE BE SURE TO PRE-REGISTER EARLY** - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Verisign CRL single point of failure
I don't think you understood my question. Why is crl.verisign.com getting overloaded *now.* What does the expiration of one of their CA certificates have to do with it? Once you see that a cert has expired, there's no need whatsoever to go look at the CRL. The point of a CRL is to revoke certificates prior to their expiration. You are correct I did miss your point in haste. I cannot answer that, but I can tell you that disabling the function or uninstalling NAV that has CRL function, fixes the problem immediately. And if you watch your firewall as the clients open a file that requests a virus scan they all try to hit crl.verisign.com. This has been happening since the 7th when that cert expired. DK - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Verisign CRL single point of failure
dave kleiman wrote: Because the client has a Certificate Revocation Checking function turned on in a particular app (i.e. IE or NAV). I don't think you understood my question. Why is crl.verisign.com getting overloaded *now.* What does the expiration of one of their CA certificates have to do with it? Once you see that a cert has expired, there's no need whatsoever to go look at the CRL. The point of a CRL is to revoke certificates prior to their expiration. /r$ -- Rich Salz, Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
A possible explanation for the world's most enigmatic book
http://www.economist.com/science/PrinterFriendly.cfm?Story_ID=2329803 The Economist The Voynich manuscript Another twist in the tale Jan 8th 2004 From The Economist print edition A possible explanation for the world's most enigmatic book Worth 600 ducats of anybody's money! THE Voynich manuscript, once owned by Emperor Rudolph II in 16th-century Bohemia, is filled with drawings of fantastic plants, zodiacal symbols and naked ladies. Far more intriguing than its illustrations, however, is the accompanying text: 234 pages of beautifully formed, yet completely unintelligible script. Modern scholars have pored over the book since 1912, when Wilfrid Voynich, an American antiquarian, bought the manuscript and started circulating copies in the hope of having it translated. Some 90 years later, the book still defies deciphering. It now resides at Yale University. The manuscript is written in Voynichese, which consists of strange characters, some of which look like normal Latin letters and Roman numerals. Some analysts have suggested that Voynichese is a modified form of Chinese. Others think it may be Ukrainian with the vowels taken out. But Voynichese words do not resemble those of any known language. Nor is the text a simple transliteration into fanciful symbols: the internal structure of Voynichese words, and how they fit together in sentences, is unlike patterns seen in other languages. Another possibility is that the text is written in code. But the best efforts of cryptographers over the past 30 years have failed to crack it. This resilience is unusual, given that other ciphers from the period have yielded their secrets. On the other hand, the text could just be gibberish and the book-which may have been passed off to Emperor Rudolph as the work of Roger Bacon, a 13th-century natural philosopher, in exchange for the princely sum of 600 gold ducats-a grand hoax. But Gabriel Landini, a Voynichese enthusiast at the University of Birmingham, in England, argues against this theory. Given the complex structure of Voynichese words, writing hundreds of pages of internally consistent gibberish would be a tough task for a fraudster to pull off. But perhaps not an impossible one. Gordon Rugg, a computer scientist at Keele University, in England, thinks he may be one step closer to an explanation of how the text might have been created. In a paper published in the January issue of Cryptologia, he uses low-tech 16th-century methods, rather than 20th-century computing, to generate text resembling that in the book. If the Voynich manuscript is a fraud, then one plausible suspect is Edward Kelley, an Elizabethan con-artist. So Dr Rugg borrowed one of Kelley's techniques. He used a grid of 40 rows and 39 columns to create a table which he filled in with Voynichese syllables. He then placed a grille-a piece of cardboard with three squares cut out in a diagonal pattern-on top of the table, and started forming words by reading off the syllables as he moved the grille across columns and down rows. The result was words with the same internal patterns as Voynichese. Dr Rugg and his team are now writing software to create dozens of tables and grilles in an attempt to reproduce other linguistic patterns in the manuscript. If their findings hold up, it would mean that the regularity of Voynichese is no longer an argument against the manuscript being an elaborate hoax. Of course, this does not prove that the manuscript is nonsense-an impossible thing to demonstrate, in any case, since failure to find meaning in the text does not make it meaningless, but simply beyond current methods of decoding. Indeed, Dr Landini believes that the Voynich manuscript might yet yield to massive computing power. If it does, most people expect to find a work of modest historical interest, rather than the secret of life. As with most puzzles, the thrill of solution lies in the process, rather than the product. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: fun with CRLs!
/. is reporting this, anyone know the real story? The CryptoAPI list has been lit up end to end with mail about this. The summary from one poster (Tim Anderson [EMAIL PROTECTED]) is: IE5.x's digital signature expired yesterday. Every computer that uses WinVerifyTrust now has to have the verify publisher certificate dealy unchecked or the WinVerifyTrust call takes upwards of 5 minutes to complete. The fix, as for the We're from Microsoft, give us a certificate fiasco of two years ago, is an OS update from Microsoft to replace the certs. Further patches will be in Win2K SP5 and WinXP SP2. ObSnideComment: It's a good thing 99.99% of PKI use is just window dressing, imagine if people were basing things like electronic funds transfers on technology as brittle as this: Please wait 5 minutes for the server to time out so your funds can become available. Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Verisign CRL single point of failure
Rich Salz [EMAIL PROTECTED] writes: Can someone explain to me why the expiring of a certificate causes new massive CRL queries? Here's the reply straight from Verisign: -- Snip -- We wanted to pass on a notification that we have determined what we feel is the root cause of the CRL outage issue. It appears that at midnight GMT (4pm PST) on January 7, 2004, VeriSign experienced a sudden and dramatic increase in the number of requests by Windows-based clients to download a certificate revocation list (CRL). The CRL is a file which confirms the validity status of a set of certificates, and is used by applications and users to determine whether a particular certificate has been revoked between the time it was issued and the time it will expire. The CRL in question was for a code-signing application. VeriSign normally serves up several million CRLs per hour. These CRLs typically have one- to two-week validity periods, and client applications using CRLs will check for an update as the CRL expires. The Code Signing CRL was supplied to a large number of Windows clients. When that CRL expired, those clients simultaneously requested a particularly large CRL file, resulting in an eight-fold increase in traffic at the site crl.verisign.com, where VeriSign hosts all our CRLs. As a result, As a result, Windows-based browsers requesting status of certain server certificates have experienced intermittent delays. VeriSign has increased its capacity to handle these requests by 10 fold in the past 8 hours. As the particular code-signing CRL file is no longer a dynamically changing, there will be no need for clients, once they have downloaded this file, to request a new version of this particular CRL. While this does not represent a security risk, it may have represented a performance degradation for some users. VeriSign regrets the inconvenience caused to customers, and has implemented procedures both internally, and with our partners, to ensure that this problem does not reoccur. Please note that this problem is in no way related to the Intermediate CA expiration issue discussed on our site at http://www.verisign.com/support/vendors/exp-gsid-ssl.html?sl=070807. Although the expiration dates are the same, it is strictly a coincidence in timing. -- Snip -- ObComment again: Ahh, the wonders of doing an online CRL fetch that feeds you information that's two weeks out of date. I'm not sure what the no longer dynamically changing means, I assume they've made it even worse by giving it a much larger expiry period, so your online check gives you the status from last year instead of last week. Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Verisign CRL single point of failure
I'm not sure what the no longer dynamically changing means, I assume they've made it even worse by giving it a much larger expiry period, so your online check gives you the status from last year instead of last week. It means that they learned the lesson when the erroneously issued two MSFT certificates: In the future, VRSN patches will be issued as MSFT software updates. -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Crypto Law Survey updated - version 22.0
--- begin forwarded text Approved-By: Bert-Jaap Koops [EMAIL PROTECTED] Date: Wed, 14 Jan 2004 13:06:08 +0100 Reply-To: Bert-Jaap Koops [EMAIL PROTECTED] Sender: Mailinglist about existing and proposed laws and regulations on cryptography [EMAIL PROTECTED] From: Bert-Jaap Koops [EMAIL PROTECTED] Subject: Crypto Law Survey updated - version 22.0 To: [EMAIL PROTECTED] I have updated my Crypto Law Survey to version 22.0. http://rechten.uvt.nl/koops/cryptolaw/ NEWS My thesis is now on-line full-text in pdf. The Crypto Controversy gives an overview of the crypto problems for law-enforcement and their solutions: http://law.uvt.nl/koops/thesis/thesis.htm EUROPE * Belgium (current state of Program Act) * Israel (new license stats) * Italy (radio-amateur law) * Lithuania (export and import controls, no domestic law) * Netherlands (no TTP law) * Spain (new Telecommunications Act) * Switzerland (radio-traffic law) AMERICAS * Brazil (working on policy) * United States (Patriot II; Bernstein case ends (for now)) ASIA * China (wireless crypto; clarification letter only pre-2000) Any additions you may provide are greatly welcomed. Bert-Jaap Koops Tilburg University 14 January 2004 -- You may forward this message in its entirety. -- To unsubscribe from this mailing list, send a message to [EMAIL PROTECTED] with in the body of the message UNSUBSCRIBE CRYPTOLAW-L. To subscribe to this mailing list, send a message to [EMAIL PROTECTED] with in the body of the message SUBSCRIBE CRYPTOLAW-L. --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Verisign CRL single point of failure
Verisign incorrectly built the new certificate causing every SSL access on IE 5.x to request a new CRL (700k) on every single SSL access. This has been fixed, a new udated cert is available and the CRL storm is abating. See the versign site for more details on what they did to fix the problem, but nothing of course on what they did wrong. Note that two separte certs expired at the same time so there were two competing DOS attacks simultaneously. hth ..tom Can someone explain to me why the expiring of a certificate causes new massive CRL queries? /r$ -- Rich Salz, Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
