"David G. Koontz" <[EMAIL PROTECTED]> writes:
>http://www.stuff.co.nz/4659100a28.html?source=RSStech_20080817
>
>Peter Gutmann has gotten himself in the news along with Adam Laurie and
>Jeroen van Beek for altering the passport microchip in a passport.
The ori
Stefan Kelm <[EMAIL PROTECTED]> writes:
>> The original story was actually the coverage in the UK Times last week,
>
>Which card reader(s) did you use?
Adam and I used the Omnikey Cardman 5321 (I'm not sure what Jeroen used,
probably the same), which is cheap, well-supported with drivers, and che
Allen <[EMAIL PROTECTED]> writes:
>I just got a warning that a certificate had expired and yet the data in it
>says:
>
>> [From: Tue Aug 05 17:00:00 PDT 2003,
>> To: Mon Aug 05 16:59:59 PDT 2013]
>
>The error message says: "The digital signature was generated with a trusted
>certificate but has e
[Not sure if this is still of general list interest, let's take the followups
off-list. If anyone else wants to be included in the off-list discussion,
let me know].
Stefan Kelm <[EMAIL PROTECTED]> writes:
>Did the "Golden Reader Tool" (GRT) recognize the Cardman reader w/o any
>modifications?
The Codinghorror blog has a good writeup on the level of sophistication of UI
spoofing being used in phishing attacks, specifically how a web search for
lilies leads to a pretty convincing social-engineering attack designed to get
users to install their malware:
http://www.codinghorror.com/blog/
Speaking of CPU-specific optimisations, I've seen a few algorithm proposals
from the last few years that assume that an algorithm can be scaled linearly
in the number of CPU cores, treating a multicore CPU as some kind of SIMD
engine with all cores operating in lock-step, or at least engaging in so
=?ISO-8859-15?Q?Philipp_G=FChring?= <[EMAIL PROTECTED]> writes:
>Does anyone know a an algorithm that has reasonable strength and is able to
>operate on non-binary data? Preferrably on any chosen number-base?
I posted a description of how to perform encryption in limited subranges to
sci.crypt ab
The Codinghorror blog has a good writeup on the level of sophistication of UI
spoofing being used in phishing attacks, specifically how a web search for
lilies leads to a pretty convincing social-engineering attack designed to get
users to install their malware:
http://www.codinghorror.com/blog/
Eric Rescorla <[EMAIL PROTECTED]> writes:
>There are a set of techniques that allow you to encrypt elements of arbitrary
>sets back onto that set.
... and most of them seem to be excessively complicated for what they end up
achieving. Just for reference the mechanism from the sci.crypt thread of
Eric Rescorla <[EMAIL PROTECTED]> writes:
>There's noting inherently wrong with this mechanism, but like all stream
>ciphers, it can't be used if you want to encrypt multiple independent values,
>e.g., credit cards in a database--without a randomizer (which implies
>expansion) you have the usual t
"Perry E. Metzger" <[EMAIL PROTECTED]> writes:
>Unfortunately, I don't see anything technological that people can reasonably
>do here to provide more privacy,
Painting the camera lenses with laser pointers is quite effective, at least as
a short-term civil-disobedience measure. Since there's no
Daniel Carosone <[EMAIL PROTECTED]> writes:
>On Fri, Aug 29, 2008 at 09:01:26PM +, Muffys Wump wrote:
>> Master Password: hash(hash(login_password))
>>
>> Would this be a good idea if we've used this generated hash as a key for AES?
>> Would the hashing be secure enough against different kinds
IanG <[EMAIL PROTECTED]> writes:
>4. Skype. Doesn't do email, but aside from that minor character flaw, it
>cracked everything else. It's the best example of what it should look like.
The UI still leaves quite a lot to be desired. Try sitting a non-geek user in
front of a fresh Skype install
In the ongoing comedy of errors that is US online banking "security" I've just
run into another one that's good for a giggle: Go to www.wachovia.com and,
without entering any credentials, click 'Login' on their unsecured logon page.
You get taken to an authenticated, SSL-secured... error message pa
Sebastian Krahmer <[EMAIL PROTECTED]> writes:
>This reminds me the most weird SSL related error message I have ever seen and
>which is there since ages:
>
>https://www.fbi.gov
>
>Beside that the certificate is wrong :-)
That's an artefact of the SSL MITM that Akamai performs for sites that are
ho
Darren J Moffat <[EMAIL PROTECTED]> writes:
>I believe the only way both of these highly dubious deployment practices will
>be stamped out is when the browsers stop allowing users to see such web pages.
Unfortunately I think the only way it (and a pile of other things as well) may
get stamped ou
"James A. Donald" <[EMAIL PROTECTED]> writes:
>Visualize Obama, McCain, or Sarah Palin setting up your network security.
>Then realize that whoever they appoint as Czar in charge of network security
>is likely to be less competent than they are.
You're think about this from the wrong angle. We d
David Molnar <[EMAIL PROTECTED]> writes:
>Dan Geer's comment about the street price of heroin as a metric for success
>has me thinking - are people tracking the street prices of digital underground
>goods over time?
I've been (very informally) tracking it for awhile, and for generic data (non-
Pl
Allen <[EMAIL PROTECTED]> writes:
>I have a question about all this. There seems to be a disconnect between the
>approximate prices mentioned here - too cheap to only do small transactions,
>etc - and what I have seen when looking at various of the sites. Maybe I'm
>missing something and you could
Dirk-Willem van Gulik <[EMAIL PROTECTED]> writes:
>As to technical options to accomplish this
The mechanisms for this actually already exist, they're just not used. First
of all, you need to admit that you have a problem: SSL certs by themselves are
more or less useless in providing assurance, t
"Dave Korn" <[EMAIL PROTECTED]> writes:
>http://www.theregister.co.uk/2008/09/17/cyber_crime_fighting/
>" After getting a search warrant and confiscating his hard drive,
>investigators were forced to scour through its remains using an electron
>microscope, and the price of $100,000 per pass. "
>
IanG <[EMAIL PROTECTED]> writes:
>Any evidence of that? [People buying certs using stolen credit cards]
I don't know if anyone tracks the exact count (apart from the 2005 figure of
(at least) 450 recorded incidents of secure phishing) but every now and then
you get reports of particular ones tha
I was browsing through the Windows download centre for reasons not relevant
here and came across KB955417, dated 22 August 2008:
Install this update to resolve an issue in which protected storage (PStore)
uses a lower quality cryptographic function when the system locale is set to
French (Fr
"Steven M. Bellovin" <[EMAIL PROTECTED]> writes:
>[EMAIL PROTECTED] (Peter Gutmann) wrote:
>> - Use TLS-PSK, which performs mutual auth of client and server
>> without ever communicating the password. This vastly complicated
>> phishing since the phisher h
Inspired by Ian Grigg's comment (in the subject line) and various remarks made
in a recent thread, I had a look at the Verisign 1.0 CPS from 1996 and the
very latest Verisign CPS from June 2008, twelve years later. Here's the
authentication requirements for businesses. One is from the 1.0 CPS, wh
"Leichter, Jerry" <[EMAIL PROTECTED]> writes:
>The sitation today is (a) the decreasing usefulness of passwords - those
>anyone has a chance of remembering are just to guessable in the face of the
>kinds of massive intelligent brute force that's possible today and (b) the
>inherently insecure pass
Combining several replies into one...
Nicolas Williams <[EMAIL PROTECTED]> writes:
>On Mon, Sep 22, 2008 at 08:59:25PM -1000, James A. Donald wrote:
>> The major obstacle is that the government would want a strong binding
>> between sim cards and true names, which is no more practical than a
>> st
For the past several years I've been making a point of asking users of crypto
on embedded systems (which would be particularly good targets for side-channel
attacks, particularly ones that provide content-protection capabilities)
whether they'd consider enabling side-channel attack (SCA - no, no
The DailyWTF has an entertainnig writeup on how not to use strong crypto to
protect an embedded device, in this case a Wii, at
http://thedailywtf.com/Articles/Anatomii-of-a-Hack.aspx. The
signature-verification function was particularly entertaining:
decrypt_rsa(signature, public_key, decryp
Thierry Moreau <[EMAIL PROTECTED]> writes:
>I find the question should be refined.
It could if there was a large enough repondent base to draw samples from :-).
This is one of those surveys that can never be done because no vendor will
publicly talk to you about security measures in their embed
Ben Laurie <[EMAIL PROTECTED]> writes:
>Peter Gutmann wrote:
>> Given the string of
>> attacks on crypto in embedded devices (XBox, iPhone, iOpener, Wii, some
>> not-yet-published ones on HDCP devices :-), etc) this is by far the most
>> at-risk category because t
Bill Stewart <[EMAIL PROTECTED]> writes:
>A quick google-look at ASICs showed a number in the range of 300K-20M gates,
>so hash-trees could probably get speedups of up to 20-100x if you can keep
>from becoming input-speed-bound. The 300K chips were about $6, 5M at $50 and
>350MHz, which is somewha
Wouter Slegers <[EMAIL PROTECTED]> writes:
>Timing analysis is quite possible to pull of in straightforward
>implementations as demonstrated over the Internet on OpenSSL prior to their
>implementation of blinding (
>http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf). But frankly, I have
>neve
>From the DailyWTF:
In my previous alert, I included the text of a phishing email as an example
[of phishing emails that people shouldn't reply to]. Some students
misunderstood that I was asking for user name and password, and replied with
that information. Please be aware that you shouldn
This doesn't seem to have garnered much attention, but this year marks two
milestones in PKI: Loren Kohnfelder's thesis was published 30 years ago, and
X.509v1 was published 20 years ago.
As a sign of PKI's successful penetration of the marketplace, the premier get-
together for PKI folks, the IDt
"Perry E. Metzger" <[EMAIL PROTECTED]> writes:
>Summary: shops in Vietnam removing the baseband chip on iPhone motherboards
>to reprogram and unlock them.
>From someone who knows about these things:
They got this a little wrong -- he's actually removing the stacked die
NOR/PSRAM, erasing and
StealthMonger writes:
>Connection-based communication such as Skype and OTR do not provide this
>capability. The hop by hop store-and-forward email network does. This is not
>busted or wrong. It's essential.
... to a statistically irrelevant bunch of geeks. Watch Skype deploy a not-
terribly-
Bill Frantz writes:
>I find myself in this situation with a design I'm working on. I have an ARM
>chip, where each chip has two unique numbers burned into the chip for a total
>of 160 bits. I don't think I can really depend on these numbers being secret,
>since the chip designers thought they wou
=?ISO-8859-1?Q?Joachim_Str=F6mbergson?= writes:
>Damien Miller wrote:
>> Until someone runs your software on a SSD instead of a HDD. Oops.
>
>That is a very good observation. I would bet loads of GM stocks that very few
>people realise that moving from 0ld sk00l HDD to SSD would affect their
>entr
In recently had an opportunity to talk to someone who had had a family member
become a victim of identity fraud, not in the usual manner to target them
directly but as a springboard to target others by registering a phishing site
in their name. Variations on this theme include using stolen identit
Adam Shostack writes:
>Do you have evidence of either Authenticode or business impersonation? I
>agree that they're highly plausible, but you say " if the putative owner of
>an AuthentiCode certificate used to sign a piece of malware is ever tracked
>down then it's invariably some innocent victim
Adam Shostack writes:
>I'd be estatic with a frequency analysis that I could show to people.
This always happens right after you hit ^D... it turns out that Microsoft
actually has published figures for this, although it's fairly recent so I
hadn't seen it before now:
http://blogs.technet.co
Adam Shostack writes:
>Thank you! I hadn't seen this either, and it's exactly what I was looking
>for.
One note of caution with the statistics given on that page, those figures are
apparently as reported by the Malicious Software Removal Tool (MSRT) (see
http://www.microsoft.com/security/portal
d...@geer.org writes:
>I'm hoping this is just a single instance but it makes you remember that the
>browser pre-trusted certificate authorities really needs to be cleaned up.
Given the more or less complete failure of commercial PKI for both SSL web
browsing and code-signing (as evidenced by th
David Molnar writes:
>Service from a group at CMU that uses semi-trusted "notary" servers to
>periodically probe a web site to see which public key it uses. The notaries
>provide the list of keys used to you, so you can attempt to detect things
>like a site that has a different key for you than p
Ben Laurie writes:
>what happens when the cert rolls? If the key also changes (which would seem
>to me to be good practice), then the site looks suspect for a while.
I'm not aware of any absolute figures for this but there's a lot of anecdotal
evidence that many cert renewals just re-certify the
Sidney Markowitz writes:
>So which is worse, that anyone (allegedly) can get a cert from Comodo for any
>domain without any proof of identity or verification of control of the domain,
>or that CA root certs that use MD5 for their hash are still in use and have
>now been cracked?
... or the fact
https://visa.com/
Peter.
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Jerry Leichter writes:
>On Jan 9, 2009, at 6:49 AM, Peter Gutmann wrote:
>> https://visa.com/
>I get no response. None at https://www.visa.com either.
Sigh, you wait awhile to make sure it's not an intermittent thing and then as
soon as you post it it stops working (or maybe
"Weger, B.M.M. de" writes:
>> Bottom line, anyone fielding a SHA-2 cert today is not going=20
>> to be happy with their costly pile of bits.
>
>Will this situation have changed by the end of 2010 (that's next year, by the
>way), when everybody who takes NIST seriously will have to switch to SHA-2
"Steven M. Bellovin" writes:
>So -- who supports TLS 1.2?
Not a lot, I think. The problem with 1.2 is that it introduces a pile of
totally gratuitous incompatible changes to the protocol that require quite a
bit of effort to implement (TLS 1.1 -> 1.2 is at least as big a step, if not a
bigger s
Jon Callas writes:
>I've always been pleased with your answer to Question J, so I'll say what
>we're doing at PGP.
That wasn't really meant as a compliment :-). The problem is that by leaping
on things the instant they appear you end up having to support a menagerie of
wierdo algorithms and mec
Eric Rescorla writes:
>At Tue, 20 Jan 2009 17:57:09 +1300, Peter Gutmann wrote:
>> "Steven M. Bellovin" writes:
>>
>> >So -- who supports TLS 1.2?
>>
>> Not a lot, I think. The problem with 1.2 is that it introduces a pile of
>> totally
Jerry Leichter writes:
>There's a "Classified USB Cable for file transfer with Classified PC"
I wonder what a "classified USB cable" is. Perhaps it's an unclassified USB
cable with the little three-prong USB logo blacked out by the censors.
Peter.
-
"Steven M. Bellovin" writes:
>http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9126869&intsrc=hm_ts_head
>From a quick look at what's just been released
(https://www.trustedcomputinggroup.org/groups/storage/) it doesn't actually
tell you anything about how to do
Donald Eastlake writes:
>"Recent research has shown that a new and disturbing form of computer
>infection is readily spread: the epidemic copying of malicious code
>among wireless routers without the participation of intervening
>computers. Such an epidemic could easily strike cities, where the
>
John Gilmore writes:
>The theory that we should build "good and useful" tools capable of monopoly
>and totalitarianism, but use social mechanisms to prevent them from being
>used for that purpose, strikes me as naive.
There's another problem with this theory and that's the practical
implementati
Ben Laurie writes:
>Apart from the obvious fact that if the TPM is good for DRM then it is also
>good for protecting servers and the data on them,
In which way, and for what sorts of "protection"? And I mean that as a
serious inquiry, not just a "Did you spill my pint?" question. At the momen
[Moderator's note: my forwarding this is not an indication that I want
to continue the "are certs IP" discussion. --Perry]
"Perry E. Metzger" writes:
>However, a cert seems almost certainly *not* to be IP.
>
>[...]
>
>3) It can't be copyrighted, it contains no creativity.
You obviously haven't
Rene Veerman writes:
>Recently, on both the jQuery(.com) and PHP mailinglists, a question has
>arisen on how to properly secure a login form for a non-ssl web-application.
>But the replies have been "get ssl".. :(
>
>I disagree, and think that with a proper layout of authentication
>architecture,
There are a variety of password cost-estimation surveys floating around that
put the cost of password resets at $100-200 per user per year, depending on
which survey you use (Gartner says so, it must be true).
You can get OTP tokens as little as $5. Barely anyone uses them.
Can anyone explain wh
Ben Laurie writes:
>I totally agree, and this is the thinking behind the Keyczar project (
>http://www.keyczar.org/):
If we're allowed to do self-promotion I'll have to mention cryptlib, which had
as one of its principal design goals what was later stated by Ian Grigg as
"there should only be on
"Steven M. Bellovin" writes:
>http://www.theregister.co.uk/2009/02/19/ssl_busting_demo/ -- we've talked
>about this attack for quite a while; someone has now implemented it.
My analysis of this (part of a much longer writeup):
-- Snip --
[...] it's now advantageous for attackers to spoof non-S
John Levine writes:
>Clever though this scheme is, man-in-the middle attacks make it no better
>than a plain SSL login screen.
You don't even need a MITM, just replace the site image on your phishing site
with either a broken- image picture or a message that your award-winning
site-image softw
"James A. Donald" writes:
>The interesting thing is that it and similar phishes do not seem to have been
>all that successful - few people seemed to notice at all, the general
>reaction being to simply hit the spam key reflexively, much as people click
>away popup warnings reflexively, and are un
"Perry E. Metzger" writes:
>[Explanation of why courts aren't Turing machines]
Very nice explanation. The name I've used for this (attempted) defence is the
Rumpelstiltskin defence, for reasons that should be obvious (and at some point
I'll get around to finishing the writeup on this, which I g
"Marcus Brinkmann" writes:
>* The safest thing to do is to do a clean operating system install before
>traveling.
If you have an appropriate netbook (about 50% support this, check your
manufacturer and model type), unplug the SD card containing the OS image and
replace it with the SD card contai
I was just reading through the WiMAX PKI documentation [0]... this uses PGP to
issue device and server X.509 certificates for use in WiMAX networks:
"Name" is an identifying name for the recipient that will be used as an
authenticated identity by the CA signing system. This is the identifier
The whole story's at:
http://www.wired.com/politics/security/news/2009/04/fleetcom
it appears that Brazilians wanting to communicate on the cheap are using US
FLTSATCOM links to talk to each other. This works because "the communication
channel was open, not encrypted, lots of people used it to t
Thor Lancelot Simon writes:
>On Sat, Mar 07, 2009 at 05:40:31AM +1300, Peter Gutmann wrote:
>> Given that, when I looked a couple of years ago, TPM support for
>> public/private-key stuff was rather hit-and-miss and in some cases seemed to
>> be entirely absent (so you coul
Thor Lancelot Simon writes:
>Almost no web servers run with passwords on their private key files. Believe
>me. I build server load balancers for a living and I see a _lot_ of customer
>web servers -- this is how it is.
Ah, that kinda makes sense, it would parallel the experience with client-sid
Sandy Harris writes:
>Yes, but that paper is over ten years old. In the meanwhile, disk designs and
>perhaps encoding schemes have changed, journaling file systems have become
>much more common and, for all I know the attack technology may have changed
>too.
It's nearly fifteen years old (it was
"Perry E. Metzger" writes:
>Greg Rose writes:
>> It already wasn't theoretical... if you know what I mean. The writing
>> has been on the wall since Wang's attacks four years ago.
>
>Sure, but this should light a fire under people for things like TLS 1.2.
Why?
Seriously, what threat does this p
Subject says it all, does anyone know of a public, commercial CA (meaning one
baked into a browser or the OS, including any sub-CA's hanging off the roots)
ever having their certificate revoked? An ongoing private poll hasn't turned
up anything, but perhaps others know of instances where this occu
Thierry Moreau writes:
>Now that the main question is answered, there are sub-questions to be asked:
>
>1. Has any public CA ever encountered a situation where a revocation would
>have been necessary?
Yes, several times, see e.g. the recent mozilla.org fiasco, as a result of
which nothing happen
Paul Hoffman writes:
>Peter, you really need more detents on the knob for your hyperbole setting.
>"nothing happened" is flat-out wrong: the CA fixed the problem and researched
>all related problems that it could find. Perhaps you meant "the CA was not
>punished": that would be correct in this ca
Travis writes:
>I have never seen a good catalog of computationally-strong pseudo-random
>number generators. It seems that everyone tries to roll their own in
>whatever application they are using, and I bet there's a lot of waste and
>inefficiency and re-inventing the wheel involved.
>
>If this
Ben Laurie writes:
>Incidentally, the reason we don't use EKE (and many other useful schemes) is
>not because they don't solve our problems, its because the rights holders
>won't let us use them.
That's not the reason, TLS-SRP isn't that annoyingly encumbered, and even the
totally unencumbered
"Perry E. Metzger" writes:
>Home routers and other equipment last for years. If we slowly roll out
>various protocol and system updates now, then in a number of years, when we
>find ourselves with real trouble, a lot of them will already be updated
>because new ones won't have issues.
I'm not re
Bill Frantz writes:
>So my reaction is to say that it's all a big stinking pile and try to develop
>systems and procedures that don't rely on CAs. (e.g. curl with a copy of the
>server's self-signed certificate, the Petname toolbar, etc.)
The problem with this is that recent changes in browser U
I was looking for information on this recently to update an old reference to
the DSTU version but it seems to have vanished, there's no information on it
online that I could find after about 2001 or so (apart from a reference to a
2006 version in a conference paper). The ANSI web site claims th
Jerry Leichter writes:
>For the most part, software like this aims to keep reasonably honest
>people honest. Yes, they can probably hire someone to hack around the
>licensing software. (There's generally not much motivation for J
>Random User to break this stuff, since it protects busines
Imagine if you got the following email:
You may have noticed that we've created a new tool in FastNet Classic called
the Online Vault. Hopefully you'll find it pretty handy - it allows you to
securely store important personal information such as:
- IRD number [equivalent to the SSN in the
I haven't been able to find an English version of this, but the following news
item from Germany:
http://www.heise.de/security/E-Gesundheitskarte-Datenverlust-mit-Folgen--/news/meldung/141864
reports that the PKI for their electronic health card has just run into
trouble: they were storing the ro
"Jeffrey I. Schiller" writes:
>Because of prior experience with a SafeKeyper(tm) (a very large HSM), I
>learned that when the only copy of your key is in an HSM, the HSM vendor
>really owns you key, or at least they own you!
I thought the Safekeypers had a cloning mechanism (as do things like Ch
Nicolas Williams writes:
>This goes to show that we do need a TA distribution protocol (not for the
>web, mind you), and it needs to use PKI -- a distinct, but related PKI.
... and now you have two (probably unsolveable) problems instead of one.
In addition because the second problem virtua
"Jeffrey I. Schiller" writes:
>Our current Server CA certificate will expire in 2026 (when hopefully it
>won't be my problem!).
Thus the universal CA root cert lifetime policy, "the lifetime of a CA root
certificate is the time till retirement of the person in charge at its
creation, plus five
Leandro Meiners quotes:
>"For example, by specifying an HMACOutputLength of 1, only one bit of the
>signature is verified. This can allow an attacker to forge an XML signature
>that will be accepted as valid."
This excessive generality is a serious problem in way too many crypto specs,
and impl
"mhey...@gmail.com" writes:
>2) If you throw TCP processing in there, unless you are consistantly going to
>have packets on the order of at least 1000 bytes, your crypto algorithm is
>almost _irrelevant_.
>[...]
>for a Linux 2.2.14 kernel, remember, this was 10 years ago.
Could the lack of suppo
[I realise this isn't crypto, but it's arguably security-relevant and arguably
interesting :-)].
James Hughes writes:
>TOEs that are implemented in a slow processor in a NIC card have been shown
>many times to be ineffective compared to keeping TCP in the fastest CPU
>(where it is now).
The pr
Jon Callas writes:
>On Jul 17, 2009, at 8:39 PM, Peter Gutmann wrote:
>> PGP Desktop 9 uses as its default an iteration count of four
>> million (!!) for its password hashing, which looks like a DoS to
>> anything that does sanity-checking of input.
>
>That's pre
"Perry E. Metzger" writes:
>This highlights an unfortunate instance of monoculture -- nearly everyone on
>the internet uses Flash for nearly all the video they watch, so just about
>everyone in the world is using a binary module from a single vendor day in,
>day out.
There are quite a number of
"Perry E. Metzger" writes:
>Jerry Leichter writes:
>> One way or another, a single implementation usually wins out in the
>> OSS community.
>
>See above -- even counting only open source, we have *many* implementations.
>Heck, there are even multiple independent open source SSL, SSH and PGP
>impl
Jon Callas writes:
>You are of course correct, Peter, but are you saying that we shouldn't do
>anything?
Well, I think it's necessary to consider the tradeoffs, if you don't know the
other side's capabilities then it's a bit risky to assume that they're the
same as yours.
>You are wrong with th
Jon Callas writes:
>Okay, password-protected files would get it, too. I won't ask why you're
>sending password protected files to an agent.
They're not technically password-protected files but pre-shared key (PSK)
protected files, where the keys have a high level of entropy (presumably 128
bits,
Arshad Noor writes:
>If you (or anyone on this forum) know of technology that allows the
>application to gain access to the crypto-hardware after an unattended reboot
>- but can prevent an attacker from gaining access to those keys after
>compromising a legitimate ID on the machine - I'd welcome
Ben Laurie writes:
>So, I've heard many complaints over the years about how the UI for
>client certificates sucks. Now's your chance to fix that problem -
>we're in the process of thinking about new client cert UI for Chrome,
>and welcome any input you might have. Obviously fully-baked proposals
"James A. Donald" writes:
>For password-authenticated key agreement such as TLS-SRP or TLS-PSK to work,
>login has to be in the chrome.
Sure, but that's a relatively tractable UI problem (and see the comment below
on Camino). Certificates on the other hand are an apparently intractable
busin
"James A. Donald" writes:
>This, however, requires both client UI software, and an api to server side
>scripts such as PHP, Perl, or Python (the P in LAMP). On the server side, we
>need a request object in the script language that tells the script that this
>request comes from an entity that est
"James A. Donald" writes:
>[Incredibly complicated description of web scripting plumbing deleted]
We seem to be talking about competely different things here. For a typical
application, say online banking, I connect to my bank at www.bank.com or
whatever, the browser requests my credential info
401 - 500 of 596 matches
Mail list logo