Re: A mighty fortress is our PKI, Part II

2010-08-05 Thread Peter Gutmann
David-Sarah Hopwood david-sa...@jacaranda.org writes: Huh? I don't understand the argument being made here. It's a bogus argument, the text says: He took a legitimate software package and removed the signature of the digital certificate it contained, then installed the package on his

Re: A mighty fortress is our PKI, Part II

2010-08-05 Thread Jon Callas
On Jul 30, 2010, at 4:58 AM, Peter Gutmann wrote: [0] I've never understood why this is a comedy of errors, it seems more like a tragedy of errors to me. That is because a tragedy involves someone dying. Strictly speaking, a tragedy involves a Great Person who is brought to their undoing

Re: A mighty fortress is our PKI, Part II

2010-08-05 Thread Peter Gutmann
Jon Callas j...@callas.org writes: But S.J. Perleman's Three Shares in a Boat Uhh. minor nitpick, it was Jerome K.Jerome who wrote Three Shares in a Boat. He followed it up with Three Certificates on the Bummel, a reference to the sharing of commercial vendors' code-signing keys with malware

Re: A mighty fortress is our PKI, Part II

2010-08-05 Thread Jon Callas
On Aug 4, 2010, at 11:29 PM, Peter Gutmann wrote: Jon Callas j...@callas.org writes: But S.J. Perleman's Three Shares in a Boat Uhh. minor nitpick, it was Jerome K.Jerome who wrote Three Shares in a Boat. He followed it up with Three Certificates on the Bummel, a reference to the

Preventing a recurrence of the Realtek/JMicron fiasco

2010-08-05 Thread Peter Gutmann
I've been having an off-list discussion with someone about how you'd prevent the recent Realtek/JMicron certificate fiasco. My thoughts on this: Since many development shops see the signing process as nothing more than an annoying speed-bump that stands in the way of application deployment,

phpwn: PHP cookie PRNG flawed (Netscape redux)

2010-08-05 Thread travis+ml-cryptography
https://media.blackhat.com/bh-us-10/whitepapers/Kamkar/BlackHat-USA-2010-Kamkar-How-I-Met-Your-Girlfriend-wp.pdf Hey, another PRNG is broken. Raise your hand if you're surprised. -- A Weapon of Mass Construction My emails do not have attachments; it's a digital signature that your mail program

Re: phpwn: PHP cookie PRNG flawed (Netscape redux)

2010-08-05 Thread Chris Palmer
travis+ml-cryptogra...@subspacefield.org writes: https://media.blackhat.com/bh-us-10/whitepapers/Kamkar/BlackHat-USA-2010-Kamkar-How-I-Met-Your-Girlfriend-wp.pdf He doesn't mention the php.ini variables session.entropy_length and session.entropy_file. Last I checked, their default settings were

The long twilight of IE6

2010-08-05 Thread Jerry Leichter
We discussed the question of why IE6 is still out there. Well ... http://arstechnica.com/microsoft/news/2010/08/despite-petition-uk-government-to-keep-ie6.ars reports that the UK government has officially decided not to replace IE6, feeling the costs outweigh the benefits. Quoting from the