Re: dual-use digital signature vulnerability

2004-07-22 Thread Rich Salz
attempt to address this area; rather than simple i agree/disagree buttons ... they put little checkmarks at places in scrolled form you have to at least scroll thru the document and click on one or more checkmarks before doing the i agree button. a digital signature has somewhat

Re: Cryptography and the Open Source Security Debate

2004-07-22 Thread J Harper
There doesn't appear to be a discussion forum related to the Web post, so I'll reply here. We've gone through a similar thought process at my company. We have a commercial security product (MatrixSSL), but provide an open source version for many of the good points Daniel makes. There are a few

Identity theft case could be largest so far

2004-07-22 Thread R. A. Hettinga
http://www.cnn.com/2004/LAW/07/21/cyber.theft/index.html CNN Identity theft case could be largest so far Wednesday, July 21, 2004 Posted: 10:49 PM EDT (0249 GMT) WASHINGTON (CNN) -- A Florida man was indicted Wednesday in an alleged scheme to steal vast amounts of personal information, and

On SSL, SET, `real PKI` and real code against Phishing/Spoofing

2004-07-22 Thread Amir Herzberg
brief comments/suggestions: 1. The whole discussion on how much eavesdropping is a threat is irrelevant. We all know it is a threat and the level is not important, as SSL/TLS provide a good, inexpensive solution. Drop this topic. 2. Stop beating the dead horse (SET). But yes, we should learn

Re: dual-use digital signature vulnerability

2004-07-22 Thread Amir Herzberg
Barney Wolff wrote: Pardon a naive question, but shouldn't the signing algorithm allow the signer to add two nonces before and after the thing to be signed, and make the nonces part of the signature? That would eliminate the risk of ever signing something exactly chosen by an attacker, or at

Re: RP -- Re: Using crypto against Phishing, Spoofing and Spamming...

2004-07-22 Thread Anne Lynn Wheeler
At 01:39 PM 7/21/2004, Ed Gerck wrote: The PKI model is not tied to any legal jurisdiction and is not a business process. What is meant then by relying-party (RP) and RP Reliance in X.509 and PKIX? I hope the text below, from a work in progress submitted as an IETF ID, helps clarify this issue.

Re: Identity theft case could be largest so far

2004-07-22 Thread Ian Grigg
R. A. Hettinga wrote: http://www.cnn.com/2004/LAW/07/21/cyber.theft/index.html Identity theft case could be largest so far From other reports, the indictment alleges that Levine gained access ... by misusing a legitimate password and user name while working for a company doing business with