On Jun 30, 2008, at 7:22 PM, Perry E. Metzger wrote:
One of the most interesting things I find about most fields is the
fact that people who are incompetent very often fancy themselves
experts. There's a great study on this subject -- usually the least
competent people are the ones that feel
On Jul 1, 2008, at 17:39, Perry E. Metzger wrote:
Ed, there is a reason no one in the US, not even Wells Fargo which you
falsely cited, does what you suggest. None of them use 4 digit PINs,
none of them use customer account numbers as account names. (It is
possible SOMEONE out there does this,
Stephan Neuhaus [EMAIL PROTECTED] writes:
On Jul 1, 2008, at 17:39, Perry E. Metzger wrote:
Ed, there is a reason no one in the US, not even Wells Fargo which you
falsely cited, does what you suggest. None of them use 4 digit PINs,
none of them use customer account numbers as account names.
[Moderator's note: I'll let Ed have the last word. I'm sure everyone
knows what I'd say anyway. --Perry]
Perry E. Metzger wrote:
Ed Gerck [EMAIL PROTECTED] writes:
In any case, there are a large number of reasons US banks don't
(generally) require or even allow anyone to enter PINs for
The author of an article that appeared in InformationWeek this week
(June 30, 2008) on Enterprise Key Management Infrastructure (EKMI):
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=208800937
states the following:
There are, of course, obstacles that must still be
Arshad Noor [EMAIL PROTECTED] writes:
In light of the recent discussions about experts in cryptography, I thought
I'd ask this forum to comment on the above author's statement: is this true?
Do cryptography experts deliberately choose complexity over simplicity when
the latter might provide the
Perry E. Metzger [EMAIL PROTECTED] writes:
No. In fact, it is about as far from the truth as I've ever seen. No real
expert would choose to deliberately make a protocol more complicated.
IPsec. Anything to do with PKI. XMLdsig. Gimme a few minutes and I can
provide a list as long as your arm.
Steven M. Bellovin wrote:
I did see one possible red flag in
the article: the key server verifies the client request, then
encrypts, digitally signs, and escrows the key in a database.
Escrowed keys are potentially *very* dangerous, but without knowing
just what's being stored and how it's
[EMAIL PROTECTED] (Peter Gutmann) writes:
Perry E. Metzger [EMAIL PROTECTED] writes:
No. In fact, it is about as far from the truth as I've ever seen. No real
expert would choose to deliberately make a protocol more complicated.
IPsec. Anything to do with PKI. XMLdsig. Gimme a few minutes