Re: Solving password problems one at a time, Re: The password-reset paradox

2009-03-02 Thread Steven M. Bellovin
On Sat, 21 Feb 2009 11:33:32 -0800 Ed Gerck edge...@nma.com wrote: I submit that the most important password problem is not that someone may find it written somewhere. The most important password problem is that people forget it. So, writing it down and taking the easy precaution of not

Re: Security through kittens, was Solving password problems

2009-03-02 Thread Peter Gutmann
James A. Donald jam...@echeque.com writes: The interesting thing is that it and similar phishes do not seem to have been all that successful - few people seemed to notice at all, the general reaction being to simply hit the spam key reflexively, much as people click away popup warnings

Activation protocol for tracking devices

2009-03-02 Thread Santiago Aguiar
I'm afraid this email will probably will be a) flamed away (because it's not from a cryptographer, but forced to do crypto-things, and I do know your opinion about this matter...) b) ignored (same reason!). I'm sending it anyway because any kind of feedback would be welcomed ;), and the

[Fwd: New W3C XML Security Specifications]

2009-03-02 Thread Arshad Noor
FYI. Original Message Subject: New W3C XML Security Specifications Date: Fri, 27 Feb 2009 14:10:04 -0500 From: Sean Mullan sean.mul...@sun.com Reply-To: security-...@xml.apache.org To: security-...@xml.apache.org The W3C XML Security Working Group has just released 7 first

X.509 certificate overview + status

2009-03-02 Thread Travis
Hello, Recently I set up certificates for my server's SSL, SMTP, IMAP, XMPP, and OpenVPN services. Actually, I created my own CA for some of the certificates, and in other cases I used self-signed. It took me substantially more time than I had anticipated, and I'm left with feelings of unease.

Re: X.509 certificate overview + status

2009-03-02 Thread Marcus Brinkmann
Travis wrote: Recently I set up certificates for my server's SSL, SMTP, IMAP, XMPP, and OpenVPN services. Actually, I created my own CA for some of the certificates, and in other cases I used self-signed. It took me substantially more time than I had anticipated, and I'm left with feelings

Re: Activation protocol for tracking devices

2009-03-02 Thread Jerry Leichter
On Feb 27, 2009, at 2:13 PM, Santiago Aguiar wrote: * Is there any standard cryptographic hash function with an output of about 64 bits? It's OK for our scenario if finding a preimage for a particular signature takes 5 days. Not if it takes 5 minutes. Not specifically, but you can simply take

Re: Activation protocol for tracking devices

2009-03-02 Thread Santiago Aguiar
Hi, Jerry Leichter wrote: Not specifically, but you can simply take the first 64 bits from a larger cryptographically secure hash function. OK, I didn't know if it was right to do just that. We were thinking to use that hash in an HMAC so the TCU and SO can know that they were originated from

Re: X.509 certificate overview + status

2009-03-02 Thread Eric Murray
On Mon, Mar 02, 2009 at 05:35:20PM +0100, Marcus Brinkmann wrote: Travis wrote: Further, trying to dig into ASN.1 was extremely difficult. The specs are full of obtuse language, using terms like object without defining them first. Are there any tools that will dump certificates in

How to Share without Spilling the Beans

2009-03-02 Thread Ali, Saqib
A new protocol aims to protect privacy while allowing organizations to share valuable information: http://www.technologyreview.com/communications/22238/?a=f saqib http://www.capital-punishment.net - The Cryptography Mailing

Re: X.509 certificate overview + status

2009-03-02 Thread Dave Howe
Travis wrote: Hello, Recently I set up certificates for my server's SSL, SMTP, IMAP, XMPP, and OpenVPN services. Actually, I created my own CA for some of the certificates, and in other cases I used self-signed. It took me substantially more time than I had anticipated, and I'm left with

Re: Activation protocol for tracking devices

2009-03-02 Thread John Ioannidis
As it has been pointed out numerous times on this and other places, this is a singularly bad idea. The crypto isn't even the hardest part (and it's hard enough). Just don't do it. If you are going to spend your energy on anything, it should be to work against such a plan. /ji

Re: Activation protocol for tracking devices

2009-03-02 Thread Santiago Aguiar
John Ioannidis wrote: Just don't do it. If you are going to spend your energy on anything, it should be to work against such a plan. I would agree, but I fear that a this is never going to work, drop it will be less heard than any effort in at least trying to raise the bar for an attack.

Re: How to Share without Spilling the Beans

2009-03-02 Thread Arshad Noor
Ali, Saqib wrote: A new protocol aims to protect privacy while allowing organizations to share valuable information: http://www.technologyreview.com/communications/22238/?a=f Any links to the actual protocol itself? The article is a little vague on details. Thanks. I did not see any

Re: Activation protocol for tracking devices

2009-03-02 Thread Jerry Leichter
On Mar 2, 2009, at 12:56 PM, Santiago Aguiar wrote: Hi, Jerry Leichter wrote: Not specifically, but you can simply take the first 64 bits from a larger cryptographically secure hash function. OK, I didn't know if it was right to do just that. We were thinking to use that hash in an HMAC so

Re: How to Share without Spilling the Beans

2009-03-02 Thread Jonathan Katz
On Mon, 2 Mar 2009, Arshad Noor wrote: Ali, Saqib wrote: A new protocol aims to protect privacy while allowing organizations to share valuable information: http://www.technologyreview.com/communications/22238/?a=f Any links to the actual protocol itself? The article is a little vague on