Eric Rescorla wrote:
Most chat protocols (and Jabber in particular) are server-oriented
protocols. So, the SSL certificate in question isn't that of your
buddy but rather of your Jabber server.
Adam Back [EMAIL PROTECTED] writes:
Thats broken, just like the WAP GAP ... for security you want
Think end-to-end.. Even jabber has a way to encrypt messages
end-to-end using
user certificates (or PGP).
-derek
I am aware of Jabbers support for GPG/PGP, but did I miss their support
for user certificates? I have seen no indication of such support, what
client supports it?
Alaric
John Kelsey [EMAIL PROTECTED] writes:
Recently, Earthlink's webmail server certificate started showing up as
expired. (It obviously expired a long time ago; I suspect someone must have
screwed up in changing keys over or something, because the problem wasn't
happening up until recently.)
This is
Adam Back wrote:
Thats broken, just like the WAP GAP ... for security you want
end2end security, not a secure channel to an UTP (untrusted third
party)!
Well, in the Jabber/XMPP world you can run your own server (just as you
can in the email world). I see no harm in e2m channel encryption in
Alaric Dailey wrote:
I am aware of Jabbers support for GPG/PGP, but did I miss their support
for user certificates? I have seen no indication of such support, what
client supports it?
RFC 3923.
But no clients support that yet to my knowledge.
Peter
smime.p7s
Description: S/MIME
- Original Message -
From: Perry E. Metzger [EMAIL PROTECTED]
To: Adam Back [EMAIL PROTECTED]
Cc: Peter Saint-Andre [EMAIL PROTECTED]; cryptography@metzdowd.com
Sent: Friday, August 26, 2005 8:55 PM
Subject: Re: Another entry in the internet security hall of shame
[...]
Remember
In message [EMAIL PROTECTED], Adam Back writes:
Thats broken, just like the WAP GAP ... for security you want
end2end security, not a secure channel to an UTP (untrusted third
party)!
What is security? What are you trying to protect, and against whom?
I use Jabber extensively, and I utterly
Federal Information Assurance Conference 2005, Oct 25-26, Univ. of Maryland
http://www.fbcinc.com/fiac/
agenda
http://www.fbcinc.com/fiac/agenda_full.asp
and one of the sessions from above:
Session Highlight: A5 - NIST and IBM Discuss Draft Publication SP 800-53A
Some info on primality testing.
Miller-Rabin probabilistic primality tests work really well when you are
searching for a prime and picking candidates from a uniform random
distribution, also works well if you pick an initial candidate from a
uniform random distribution and then increment on that
On Fri, Aug 26, 2005 at 11:41:42AM -0400, Steven M. Bellovin wrote:
In message [EMAIL PROTECTED], Adam Back writes:
Thats broken, just like the WAP GAP ... for security you want
end2end security, not a secure channel to an UTP (untrusted third
party)!
What is security? What are you
periodically, some of the PKI related comments remind me of some stories
about power production from the 70s.
some of the '70s energy stories focused on the different quality of
support for power generation technologies based on whether they were
institutional centric (and would be able to charge
On 8/26/05, Steven M. Bellovin [EMAIL PROTECTED] wrote:
...
If you don't trust your (or your correspondents') IM servers, it may be
a different situation. I haven't read Google's privacy policies for
IM; if it's anything like gmail, they're using automated tools that
look at your messages
Enzo Michelangeli wrote:
Remember that Jabber and similar protocols also trust servers to some
extent. Servers store and distribute valuable information like
presence data -- it is architecturally hard to do otherwise.
Well, not really: the buddies on the list can be located through a
Adam Back wrote:
Well I think security in IM, as in all comms security, means security
such that only my intended recipients can read the traffic. (aka e2e
security).
I don't think the fact that you personally don't care about the
confidentiality of your IM messages should argue for not doing
In message [EMAIL PROTECTED], Chris Kuethe writes:
On 8/26/05, Steven M. Bellovin [EMAIL PROTECTED] wrote:
...
If you don't trust your (or your correspondents') IM servers, it may be
a different situation. I haven't read Google's privacy policies for
IM; if it's anything like gmail, they're
In message [EMAIL PROTECTED], Adam Back writes:
On Fri, Aug 26, 2005 at 11:41:42AM -0400, Steven M. Bellovin wrote:
In message [EMAIL PROTECTED], Adam Back writes:
Thats broken, just like the WAP GAP ... for security you want
end2end security, not a secure channel to an UTP (untrusted third
Ian G wrote:
none of the above. Using SSL is the wrong tool
for the job.
For the one task mentioned - transmitting the username/password pair to the
server - TLS is completely appropriate. However, hash based verification would
seem to be more secure, require no encryption overhead on the
Often, banks send people PINs for their accounts by printing them on
tamper secure mailers. Some folks at Cambridge have discovered that
it is easy to read the PINs without opening the seals...
http://news.bbc.co.uk/1/hi/technology/4183330.stm
--
Perry E. Metzger[EMAIL
18 matches
Mail list logo
