Re: two bits of light holiday reading

[Steven M. Bellovin]

On Fri, 26 Dec 2008 01:35:43 -0500
Ivan Krsti__  wrote:


> 2.
> 
> The DC-based Center for Strategic and International Studies recently  
> released a report titled 'Securing Cyberspace for the 44th
> Presidency' written by a number of influential authors:
> 
> 
> 
> Of most interest to this list, the report suggests going on the  
> offensive with regard to identity management, proposing to restrict  
> bonuses and awards of US federal agencies not using strong digital  
> credentials for employees in sufficient numbers (logical pp. 61-65).  
> Maybe, uh, it'll work this time around?

I disagree with a number of recommendations in that report; some of the
ones about identity management are high on my list.  See
http://www.cs.columbia.edu/~smb/blog/2008-12/2008-12-15.html for my
comments.

--Steve Bellovin, http://www.cs.columbia.edu/~smb

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Re: Security by asking the drunk whether he's drunk

[Ben Laurie]

On Fri, Dec 26, 2008 at 7:39 AM, Peter Gutmann
 wrote:
Adding support for a
> service like Perspectives (discussed here a month or two back) would be a good
> start since it provides some of the assurance that a commercial PKI can't (and
> as an additional benefit it also works for SSH servers, since it's not built
> around certificates).
>
> So, when will Google add Perspectives support to their search database? :-).


I can't find discussion of Perspectives - hint?

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

A History of U.S. Communications Security

[Pehr Söderman]

Freshly declassified and a rather interesting read:

A History of U.S. Communications Security (Volumes I and II, 1973)
David G. Boak Lectures, National Security Agency (NSA)

http://www.governmentattic.org/2docs/Hist_US_COMSEC_Boak_NSA_1973.pdf

(From Bruce Schneier/Governmentattic)

/Pehr Söderman

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Re: Security by asking the drunk whether he's drunk

[Jerry Leichter]

On Dec 26, 2008, at 2:39 AM, Peter Gutmann wrote:


d...@geer.org writes:

I'm hoping this is just a single instance but it makes you remember  
that the
browser pre-trusted certificate authorities really needs to be  
cleaned up.


Given the more or less complete failure of commercial PKI for both  
SSL web
browsing and code-signing (as evidenced by the multibillion-dollar  
cybercrime
industry freely doing all the things that SSL certs and code-signing  
were

supposed to prevent them from doing), it's not so much "cleaned up" as
"replaced with something that may actually work"
I just had an interesting experience with a different sort of  
failure:  I tried to buy a DVD from The Teaching Company (www.teach12.com 
).  When I went to check out - or even if when I connect to the top  
level at https://www.teach12.com - I get a complaint that their cert  
is signed  by a unknown authority.  It turns out that they recently  
put an EV certificate in place.  It's issued by "VeriSign Class 3  
Extended Validation SSL SGC CA" - which neither Safari 3.2.1 nor  
Firefox 3.0.5 on my Mac have ever heard of!


I got in touch with the company and actually received intelligent  
responses both at their 800 number - I placed my order that way - and  
in a response from their customer service people.  Most remarkable -  
almost all organizations ignore such communication.  It's ironic that  
those who appear to be trying the hardest are being screwed over by  
the system that's currently in place - and will inadvertently be  
involved in training users to simply bypass yet another kind of bad  
cert warning.


(I can highly recommend the courses that The Teaching Company  
distributes, by the way.  I usually borrow them from the library, but  
I've bought a few of the best here and there - especially when they  
have sales, as they do right now.)


-- Jerry

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com