On Tue, Sep 14, 2010 at 03:16:18PM -0500, Marsh Ray wrote:
> On 09/14/2010 09:13 AM, Ben Laurie wrote:
> >Of some interest to me is the approach I saw recently (confusingly named
> >WebID) of a pure Javascript implementation (yes, TLS in JS, apparently),
> >allowing UI to be completely controlled b
On Sep 13, 2010, at 11:58 57PM, John Gilmore wrote:
> http://arstechnica.com/business/news/2010/09/intels-walled-garden-plan-to-put-av-vendors-out-of-business.ars
>
> "In describing the motivation behind Intel's recent purchase of McAfee
> for a packed-out audience at the Intel Developer Forum,
On 9/13/10 at 8:58 PM, g...@toad.com (John Gilmore) wrote:
Intel's Paul
Otellini framed it as an effort to move the way the company approaches
security "from a known-bad model to a known-good model."
Does that include monetary indemnity when the "known-good" turns
out to be bad? I bet not.
At 5:33 PM -0400 9/14/10, Thor Lancelot Simon wrote:
>On Tue, Sep 14, 2010 at 08:14:59AM -0700, Paul Hoffman wrote:
>> At 10:57 AM -0400 9/14/10, Perry E. Metzger did not write, but passed on for
>> someone else:
>> >This suggests to me that even if NIST is correct that 2048 bit RSA
>> >keys are t
On Tue, Sep 14, 2010 at 08:14:59AM -0700, Paul Hoffman wrote:
> At 10:57 AM -0400 9/14/10, Perry E. Metzger did not write, but passed on for
> someone else:
> >This suggests to me that even if NIST is correct that 2048 bit RSA
> >keys are the reasonable the minimum for new deployments after 2010,
On Tue, 14 Sep 2010, Perry E. Metzger wrote:
> The decision that 1024 bit keys are inadequate for code signing is
> likely reasonable. The idea that 2048 bits and not something between
> 1024 bits and 2048 bits is a reasonable minimum is perhaps arguable.
> One wonders what security model indicated
On 14/09/10 3:58 PM, John Gilmore wrote:
> http://arstechnica.com/business/news/2010/09/intels-walled-garden-plan-to-put-av-vendors-out-of-business.ars
>
> "In describing the motivation behind Intel's recent purchase of McAfee
> for a packed-out audience at the Intel Developer Forum, Intel's Paul
On 09/14/2010 09:13 AM, Ben Laurie wrote:
On 14/09/2010 12:29, Ian G wrote:
On 14/09/10 2:26 PM, Marsh Ray wrote:
On 09/13/2010 07:24 PM, Ian G wrote:
1. In your initial account creation / login, trigger a creation of a
client certificate in the browser.
There may be a way to get a browser
Obliged, Steve. My & Simon Phipps' write-up is at ComputerWeekly:
http://blogs.computerworlduk.com/simon-says/2010/09/burning-haystack/index.htm
- a
On 14 Sep 2010, at 17:57, Steve Weis wrote:
> There have been significant developments around Haystack since the
> last messag
There have been significant developments around Haystack since the
last message on this thread. Jacob Applebaum obtained a copy and found
serious vulnerabilities that could put its users at risk. He convinced
Haystack to immediately suspend operations. The developer of Haystack,
Daniel Colascione,
http://arstechnica.com/tech-policy/news/2010/09/claimed-hdcp-master-key-leak-could-be-fatal-to-drm-scheme.ars
--Steve Bellovin, http://www.cs.columbia.edu/~smb
-
The Cryptography Mailing List
Unsubscribe by se
John Gilmore writes:
>Let me guess -- to run anything but Windows, you'll soon have to jailbreak
>even laptops and desktop PC's?
Naah, we're perfectly safe, like every other similar attempt after 5-10 years
of effort and several hundred million dollars down the drain it'll come to
nothing. I gu
On Tue, Sep 14, 2010 at 13:29, Ian G wrote:
> On 14/09/10 2:26 PM, Marsh Ray wrote:
>>
>> On 09/13/2010 07:24 PM, Ian G wrote:
>
>>> 1. In your initial account creation / login, trigger a creation of a
>>> client certificate in the browser.
>>
>> There may be a way to get a browser to generate a c
When their talk first started getting hyped on twitter last Thursday,
the focus was on ASP.Net's viewstate [1,2] rather than the cookie
aspect. (Viewstate is a base64 blob of data in a hidden form field
about the current state of controls on the page.) I wonder if
threatpost focused on cookies beca
At 10:57 AM -0400 9/14/10, Perry E. Metzger did not write, but passed on for
someone else:
>This suggests to me that even if NIST is correct that 2048 bit RSA
>keys are the reasonable the minimum for new deployments after 2010,
>much shorter keys are appropriate for most server certificates that
>
On 14/09/2010 13:15, Perry E. Metzger wrote:
> The decision that 1024 bit keys are inadequate for code signing is
> likely reasonable. The idea that 2048 bits and not something between
> 1024 bits and 2048 bits is a reasonable minimum is perhaps arguable.
> One wonders what security model indicated
On 14/09/2010 12:29, Ian G wrote:
> On 14/09/10 2:26 PM, Marsh Ray wrote:
>> On 09/13/2010 07:24 PM, Ian G wrote:
>
>>> 1. In your initial account creation / login, trigger a creation of a
>>> client certificate in the browser.
>>
>> There may be a way to get a browser to generate a cert or CSR, b
On Tue, 14 Sep 2010 12:01:22 -0300 Henrique de Moraes Holschuh
wrote:
> On Tue, 14 Sep 2010, Perry E. Metzger wrote:
> > The decision that 1024 bit keys are inadequate for code signing is
> > likely reasonable. The idea that 2048 bits and not something
> > between 1024 bits and 2048 bits is a reas
"Perry E. Metzger" writes:
>One wonders what security model indicated 4096 bits is the ideal length
The one that says that if you wind things up past 11 (4096 bits), various
things break.
(D'you really think they applied any kind of security analysis to the choice
of key size? They just wo
[Moderator's note: Anonymously forwarded at the request of the
sender. If you reply to this, please don't attribute it to me, I
didn't send it. --Perry]
Begin forwarded message:
[Perry, please forward this anonymously, if you're permitting that
these days]
On Tue, Sep 14, 2010 at 08:15:52AM -040
The decision that 1024 bit keys are inadequate for code signing is
likely reasonable. The idea that 2048 bits and not something between
1024 bits and 2048 bits is a reasonable minimum is perhaps arguable.
One wonders what security model indicated 4096 bits is the ideal
length
Perry
Begin forw
On 14/09/10 2:26 PM, Marsh Ray wrote:
On 09/13/2010 07:24 PM, Ian G wrote:
1. In your initial account creation / login, trigger a creation of a
client certificate in the browser.
There may be a way to get a browser to generate a cert or CSR, but I
don't know it. But you can simply generate i
On 14/09/2010 04:58, John Gilmore wrote:
> http://arstechnica.com/business/news/2010/09/intels-walled-garden-plan-to-put-av-vendors-out-of-business.ars
>
> "In describing the motivation behind Intel's recent purchase of McAfee
> for a packed-out audience at the Intel Developer Forum, Intel's Paul
=JeffH quotes:
>"We knew ASP.NET was vulnerable to our attack several months ago, but we
>didn't know how serious it is until a couple of weeks ago. It turns out that
>the vulnerability in ASP.NET is the most critical amongst other frameworks.
>In short, it totally destroys ASP.NET security," sai
On Tue, 14 Sep 2010 23:14:36 +1200 Peter Gutmann
wrote:
> The earlier work is also pretty devastating against CAPTCHAs (as
> well as being a damn good read, "Sudo make me a CAPTCHA" :-). A
> great many CAPTCHAs work by using a hidden form field containing
> the encrypted solution to the CAPTCHA,
http://arstechnica.com/business/news/2010/09/intels-walled-garden-plan-to-put-av-vendors-out-of-business.ars
"In describing the motivation behind Intel's recent purchase of McAfee
for a packed-out audience at the Intel Developer Forum, Intel's Paul
Otellini framed it as an effort to move the way t
On 09/13/2010 07:24 PM, Ian G wrote:
On 11/09/10 6:45 PM, f...@mail.dnttm.ro wrote:
Essentially, the highest risk we have to tackle is the database.
Somebody having access to the database, and by this to the
authentication hashes against which login requests are verified,
should not be able to
27 matches
Mail list logo
