Reply to various,
Yes, the value in a given key signing is weak, in fact every link in the
web of trust is terribly weak.
However, if you notarize and publish the links in CT fashion then I can
show that they actually become very strong. I might not have good evidence
of John Gilmore's key at
All,
Quick question, anyone got a good scheme for key stretching?
I have this scheme for managing private keys that involves storing them as
encrypted PKCS#8 blobs in the cloud.
AES128 seems a little on the weak side for this but there are (rare)
circumstances where a user is going to need to
I sarcastically proposed the use of GOST as an alternative to NIST crypto.
Someone shot back a note saying the elliptic curves might be 'bent'.
Might be interesting for EC to take another look at GOST since it might be
the case that the GRU and the NSA both found a similar backdoor but one was
On Wed, Oct 9, 2013 at 12:44 AM, Tim Newsham tim.news...@gmail.com wrote:
We are more vulnerable to widespread acceptance of these bad principles
than
almost anyone, ultimately, But doing all these things has won larger
budgets
and temporary successes for specific people and agencies
One of the biggest problems with the current situation is that US
technology companies have no ability to convince others that their
equipment has not been compromised by a government mandated backdoor.
This is imposing a significant and real cost on providers of outsourced Web
Services and is
Does PGP have any particular support for key signing parties built in or is
this just something that has grown up as a practice of use?
I am looking at different options for building a PKI for securing personal
communications and it seems to me that the Key Party model could be
improved on if
On Tue, Oct 8, 2013 at 4:14 PM, James A. Donald jam...@echeque.com wrote:
On 2013-10-08 03:14, Phillip Hallam-Baker wrote:
Are you planning to publish your signing key or your decryption key?
Use of a key for one makes the other incompatible.�
Incorrect. One's public key is always
On Sat, Oct 5, 2013 at 7:36 PM, James A. Donald jam...@echeque.com wrote:
On 2013-10-04 23:57, Phillip Hallam-Baker wrote:
Oh and it seems that someone has murdered the head of the IRG cyber
effort. I condemn it without qualification.
I endorse it without qualification. The IRG are bad
On Thu, Oct 3, 2013 at 12:21 PM, Jerry Leichter leich...@lrw.com wrote:
On Oct 3, 2013, at 10:09 AM, Brian Gladman b...@gladman.plus.com wrote:
Leaving aside the question of whether anyone weakened it, is it
true that AES-256 provides comparable security to AES-128?
I may be wrong about
On Mon, Oct 7, 2013 at 4:54 AM, Lay András and...@lay.hu wrote:
Hi!
I made a simple elliptic curve utility in command line PHP:
https://github.com/LaySoft/ecc_phgp
I know in the RSA, the sign is inverse operation of encrypt, so two
different keypairs needs for encrypt and sign. In
On Sun, Oct 6, 2013 at 11:26 AM, John Kelsey crypto@gmail.com wrote:
If we can't select ciphersuites that we are sure we will always be
comfortable with (for at least some forseeable lifetime) then we urgently
need the ability to *stop* using them at some point. The examples of MD5
and
On Fri, Oct 4, 2013 at 10:23 AM, John Kelsey crypto@gmail.com wrote:
On Oct 4, 2013, at 10:10 AM, Phillip Hallam-Baker hal...@gmail.com
wrote:
...
Dobertin demonstrated a birthday attack on MD5 back in 1995 but it had
no impact on the security of certificates issued using MD5 until
On Fri, Oct 4, 2013 at 12:27 AM, David Johnston d...@deadhat.com wrote:
On 10/1/2013 2:34 AM, Ray Dillinger wrote:
What I don't understand here is why the process of selecting a standard
algorithm for cryptographic primitives is so highly focused on speed. ~
What makes you think Keccak is
On Mon, Sep 30, 2013 at 7:44 PM, arxlight arxli...@arx.li wrote:
Just to close the circle on this:
The Iranians used hundreds of carpet weavers (mostly women) to
reconstruct a good portion of the shredded documents which they
published (and I think continue to publish) eventually reaching
I think redoing TLS just to change the encoding format is to tilt at
windmills. Same for HTTP (not a fan of CORE over DTLS), same for PKIX.
But doing all three at once would actually make a lot of sense and I can
see something like that actually happen. But only if the incremental cost
of each
On Thu, Oct 3, 2013 at 5:19 AM, ianG i...@iang.org wrote:
On 3/10/13 00:37 AM, Dave Horsfall wrote:
On Wed, 2 Oct 2013, Jerry Leichter wrote:
Always keep in mind - when you argue for easy readability - that one
of COBOL's design goals was for programs to be readable and
understandable by
Replying to James and John.
Yes, the early ARPANET protocols are much better than many that are in
binary formats. But the point where data encoding becomes an issue is where
you have nested structures. SMTP does not have nested structures or need
them. A lot of application protocols do.
I have
On Fri, Sep 27, 2013 at 3:59 AM, John Gilmore g...@toad.com wrote:
And the problem appears to be compounded by dofus legacy implementations
that don't support PFS greater than 1024 bits. This comes from a
misunderstanding that DH keysizes only need to be half the RSA length.
So to go
On Tue, Sep 24, 2013 at 10:59 AM, Jerry Leichter leich...@lrw.com wrote:
On Sep 22, 2013, at 8:09 PM, Phillip Hallam-Baker hal...@gmail.com
wrote:
I was thinking about this and it occurred to me that it is fairly easy
to get a public SSL server to provide a client with a session key - just
On Sun, Sep 22, 2013 at 2:00 PM, Stephen Farrell
stephen.farr...@cs.tcd.iewrote:
On 09/22/2013 01:07 AM, Patrick Pelletier wrote:
1024 bits is enough for anyone
That's a mischaracterisation I think. Some folks (incl. me)
have said that 1024 DHE is arguably better that no PFS and
if
So we think there is 'some kind' of backdoor in a random number generator.
One question is how the EC math might make that possible. Another is how
might the door be opened.
I was thinking about this and it occurred to me that it is fairly easy to
get a public SSL server to provide a client with
On Thu, Sep 19, 2013 at 4:15 PM, Ben Laurie b...@links.org wrote:
On 18 September 2013 21:47, Viktor Dukhovni cryptogra...@dukhovni.orgwrote:
On Wed, Sep 18, 2013 at 08:04:04PM +0100, Ben Laurie wrote:
This is only realistic with DANE TLSA (certificate usage 2 or 3),
and thus will
On Thu, Sep 19, 2013 at 5:11 PM, Max Kington mking...@webhanger.com wrote:
On 19 Sep 2013 19:11, Bill Frantz fra...@pwpconsult.com wrote:
On 9/19/13 at 5:26 AM, rs...@akamai.com (Salz, Rich) wrote:
I know I would be a lot more comfortable with a way to check the mail
against a piece of
Working on Prism Proof email, I could use information on how to configure
various email clients to support S/MIME decryption using a previously
generated key package.
While descriptions of how the user can configure S/MIME would be nice, what
I am really after is information on the internals so
On Wed, Sep 18, 2013 at 5:23 PM, Lucky Green shamr...@cypherpunks.towrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 2013-09-14 08:53, Peter Fairbrother wrote:
I get that 1024 bits is about on the edge, about equivalent to 80
bits or a little less, and may be crackable either now
A few clarifications
1) PRISM-Proof is a marketing term
I have not spent a great deal of time looking at the exact capabilities of
PRISM vs the other programs involved because from a design point they are
irrelevant. The objective is to harden/protect the infrastructure from any
ubiquitous,
On Tue, Sep 17, 2013 at 8:01 PM, John Gilmore g...@toad.com wrote:
Techdirt takes apart his statement here:
https://www.techdirt.com/articles/20130917/02391824549/nsa-needs-to-give-its-rank-and-file-new-talking-points-defending-surveillance-old-ones-are-stale.shtml
NSA Needs To Give Its
My phrase PRISM-Proofing seems to have created some interest in the press.
PRISM-Hardening might be more important, especially in the short term. The
objective of PRISM-hardening is not to prevent an attack absolutely, it is
to increase the work factor for the attacker attempting ubiquitous
Just writing document two in the PRISM-Proof series. I probably have to
change the name before November. Thinking about 'Privacy Protected' which
has the same initials.
People talk about end-to-end without talking about what they are. In most
cases at least one end is a person or an
On Mon, Sep 16, 2013 at 3:14 PM, Ben Laurie b...@links.org wrote:
On 16 September 2013 18:49, Phillip Hallam-Baker hal...@gmail.com wrote:
To me the important thing about transparency is that it is possible for
anyone to audit the key signing process from publicly available
information
On Mon, Sep 16, 2013 at 2:48 PM, zooko zo...@zooko.com wrote:
On Sun, Sep 08, 2013 at 08:28:27AM -0400, Phillip Hallam-Baker wrote:
It think we need a different approach to source code management. Get rid
of
user authentication completely, passwords and SSH are both a fragile
approach
On Wed, Sep 11, 2013 at 2:40 PM, Bill Stewart bill.stew...@pobox.comwrote:
At 10:39 AM 9/11/2013, Phillip Hallam-Baker wrote:
Perfect Forward Secrecy is not perfect. In fact it is no better than
regular public key. The only difference is that if the public key system is
cracked then with PFS
I have attempted to produce a summary of the discussion so far for use as a
requirements document for the PRISM-PROOF email scheme. This is now
available as an Internet draft.
http://www.ietf.org/id/draft-hallambaker-prismproof-req-00.txt
I have left out acknowledgements and references at the
On Mon, Sep 9, 2013 at 3:58 AM, ianG i...@iang.org wrote:
On 9/09/13 02:16 AM, james hughes wrote:
I am honestly curious about the motivation not to choose more secure
modes that are already in the suites?
Something I wrote a bunch of years ago seems apropos, perhaps minimally as
a
On Sat, Sep 7, 2013 at 8:53 PM, Gregory Perry gregory.pe...@govirtual.tvwrote:
On 09/07/2013 07:52 PM, Jeffrey I. Schiller wrote:
Security fails on the Internet for three important reasons, that have
nothing to do with the IETF or the technology per-se (except for point
3).
1. There is
On Sat, Sep 7, 2013 at 10:35 PM, Gregory Perry
gregory.pe...@govirtual.tvwrote:
On 09/07/2013 09:59 PM, Phillip Hallam-Baker wrote:
Anyone who thinks Jeff was an NSA mole when he was one of the main people
behind the MIT version of PGP and the distribution of Kerberos is talking
daft
On Sun, Sep 8, 2013 at 1:42 AM, Tim Newsham tim.news...@gmail.com wrote:
Jumping in to this a little late, but:
Q: Could the NSA be intercepting downloads of open-source
encryption software and silently replacing these with their own
versions?
A: (Schneier) Yes, I believe so.
On Sat, Sep 7, 2013 at 9:50 PM, John Gilmore g...@toad.com wrote:
First, DNSSEC does not provide confidentiality. Given that, it's not
clear to me why the NSA would try to stop or slow its deployment.
DNSSEC authenticates keys that can be used to bootstrap
confidentiality. And it does
Two caveats on the commentary about a symmetric key algorithm with a
trapdoor being a public key algorithm.
1) The trapdoor need not be a good public key algorithm, it can be flawed
in ways that would make it unsuited for use as a public key algorithm. For
instance being able to compute the
On Sun, Sep 8, 2013 at 12:19 PM, Faré fah...@gmail.com wrote:
On Sun, Sep 8, 2013 at 9:42 AM, Phillip Hallam-Baker hal...@gmail.com
wrote:
Two caveats on the commentary about a symmetric key algorithm with a
trapdoor being a public key algorithm.
1) The trapdoor need not be a good
On Sun, Sep 8, 2013 at 3:08 PM, Perry E. Metzger pe...@piermont.com wrote:
On Sun, 8 Sep 2013 08:40:38 -0400 Phillip Hallam-Baker
hal...@gmail.com wrote:
The Registrars are pure marketing operations. Other than GoDaddy
which implemented DNSSEC because they are trying to sell the
business
On Sat, Sep 7, 2013 at 10:20 AM, Jeffrey I. Schiller j...@mit.edu wrote:
If I was the NSA, I would be scavenging broken hardware from
“interesting” venues and purchasing computers for sale in interesting
locations. I would be particularly interested in stolen computers, as
they have likely
On Sat, Sep 7, 2013 at 5:19 AM, ianG i...@iang.org wrote:
On 7/09/13 10:15 AM, Gregory Perry wrote:
Correct me if I am wrong, but in my humble opinion the original intent
of the DNSSEC framework was to provide for cryptographic authenticity
of the Domain Name Service, not for
OK how about this:
If a person at Snowden's level in the NSA had any access to information
that indicated the existence of any program which involved the successful
cryptanalysis of any cipher regarded as 'strong' by this community then the
Director of National Intelligence, the Director of the
On Thu, Sep 5, 2013 at 3:58 PM, Perry E. Metzger pe...@piermont.com wrote:
I would like to open the floor to *informed speculation* about
BULLRUN.
Informed speculation means intelligent, technical ideas about what
has been done. It does not mean wild conspiracy theories and the
like. I will
On Thu, Sep 5, 2013 at 4:41 PM, Perry E. Metzger pe...@piermont.com wrote:
On Thu, 5 Sep 2013 15:58:04 -0400 Perry E. Metzger
pe...@piermont.com wrote:
I would like to open the floor to *informed speculation* about
BULLRUN.
Here are a few guesses from me:
1) I would not be surprised if
Sent from my difference engine
On Sep 5, 2013, at 9:22 PM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote:
John Denker j...@av8n.com writes:
To say the same thing the other way, I was always amazed that the Nazis were
unable to figure out that their crypto was broken during WWII. There were
While doing some research on the history of hashing for a client I
discovered that it is described in the very first edition of the ACM
journal and the paper is a translation of a Russian paper.
One of the many problems with the ITAR mindset is the assumption that all
real ideas are invented
On a more theoretical basis, Phil Rogaway gave a presentation at MIT many
years ago where he showed the use of a one-way function as the construction
primitive for every other type of symmetric algorithm.
--
Website: http://hallambaker.com/
___
The
On Tue, Sep 3, 2013 at 12:49 AM, Jon Callas j...@callas.org wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 2, 2013, at 3:06 PM, Jack Lloyd ll...@randombit.net wrote:
On Mon, Sep 02, 2013 at 03:09:31PM -0400, Jerry Leichter wrote:
a) The very reference you give says that
Want to collaborate on an Internet Draft?
This is obviously useful but it can only be made useful if everyone does it
in the same way.
On Tue, Sep 3, 2013 at 10:14 AM, Peter Gutmann pgut...@cs.auckland.ac.nzwrote:
Phillip Hallam-Baker hal...@gmail.com writes:
To backup the key we tell
On Mon, Sep 2, 2013 at 11:03 PM, John Kelsey crypto@gmail.com wrote:
The backup access problem isn't just a crypto problem, it's a social/legal
problem. There ultimately needs to be some outside mechanism for using
social or legal means to ensure that, say, my kids can get access to at
On Sun, Sep 1, 2013 at 10:35 PM, James A. Donald jam...@echeque.com wrote:
On 2013-09-01 9:11 PM, Jerry Leichter wrote:
Meanwhile, on the authentication side, Stuxnet provided evidence that the
secret community *does* have capabilities (to conduct a collision attacks)
beyond those known to
You know, if there was a completely ironclad legal opinion that made use of
ECC possible without the risk of a lawsuit costing over $2 million from
Certicom then I would be happy to endorse a switch to ECC like the NSA is
pushing for as well.
I would not therefore draw the conclusion that NSA
On Thu, Aug 29, 2013 at 7:15 AM, Jerry Leichter leich...@lrw.com wrote:
On Aug 28, 2013, at 2:04 PM, Faré wrote:
My target audience, like Perry's is people who simply can't cope with
anything more complex than an email address. For me secure mail has to look
feel and smell exactly the same
On Thu, Aug 29, 2013 at 1:59 PM, Taral tar...@gmail.com wrote:
On Wed, Aug 28, 2013 at 12:08 PM, Lucky Green shamr...@cypherpunks.to
wrote:
Additional guidelines for IPv6
The sending IP must have a PTR record (i.e., a reverse DNS of the
sending IP) and it should match the IP obtained via
On Thu, Aug 29, 2013 at 1:30 PM, Perry E. Metzger pe...@piermont.comwrote:
On Wed, 28 Aug 2013 20:04:34 +0200 Faré fah...@gmail.com wrote:
One thing that irks me, though, is the problem of the robust, secure
terminal: if everything is encrypted, how does one survive the
, Aug 29, 2013 at 1:38 PM, Phillip Hallam-Baker hal...@gmail.com
wrote:
On Thu, Aug 29, 2013 at 1:59 PM, Taral tar...@gmail.com wrote:
On Wed, Aug 28, 2013 at 12:08 PM, Lucky Green shamr...@cypherpunks.to
wrote:
Additional guidelines for IPv6
The sending IP must have a PTR
On Thu, Aug 29, 2013 at 4:46 PM, Perry E. Metzger pe...@piermont.comwrote:
Taking a break from our discussion of new privacy enhancing protocols,
I thought I'd share something I've been mumbling about in various
private groups for a while. This is almost 100% on the security side
of things,
On Thu, Aug 29, 2013 at 3:31 PM, Callme Whatiwant nejuc...@gmail.comwrote:
Hello, I'm new here, so I apologize if I'm repeating past arguments or
asking old questions.
On Tue, Aug 27, 2013 at 8:52 PM, Jerry Leichter leich...@lrw.com wrote:
On Aug 27, 2013, at 9:48 PM, Perry E. Metzger
The source is up on sourceforge now. It does need some spring cleaning and
documenting which I hope to get to next week.
The documentation is in the following directory
https://sourceforge.net/p/jsonschema/code/ci/master/tree/Web/
The origins of this work is that about 70% of the effort in
On Tue, Aug 27, 2013 at 5:04 PM, Wendy M. Grossman
wen...@pelicancrossing.net wrote:
On 08/27/2013 18:34, ianG wrote:
Why do we need the 1980s assumption of being able to send freely to
everyone, anyway?
It's clear you're not a journalist or working in any other profession
where you
On Tue, Aug 27, 2013 at 10:18 PM, Perry E. Metzger pe...@piermont.comwrote:
On Tue, 27 Aug 2013 19:57:30 -0600 Peter Saint-Andre
stpe...@stpeter.im wrote:
On 8/27/13 7:47 PM, Jonathan Thornburg wrote:
On Tue, 27 Aug 2013, Perry E. Metzger wrote:
Say that you want to distribute a
On Sun, Aug 25, 2013 at 7:42 PM, Christian Huitema huit...@huitema.netwrote:
My knowledge of the field is pretty spotty in general as I've never paid
much
attention up until now -- mostly I know about how people have built DHTs
in
non-hostile environments. I'm close enough to starting
I really like RPis as a cryptographic tool. The only thing that would make
them better is a second Ethernet interface so they could be used as a
firewall type device.
However that said, the pros are:
* Small, cheap, reasonably fast, has ethernet and even a monitor output
* Boot from an SD card
On Mon, Aug 26, 2013 at 5:43 PM, Perry E. Metzger pe...@piermont.comwrote:
On Mon, 26 Aug 2013 16:12:22 -0400 Phillip Hallam-Baker
hal...@gmail.com wrote:
I really like RPis as a cryptographic tool. The only thing that
would make them better is a second Ethernet interface so they could
There has to be a layered approach.
Traffic analysis is probably going to demand steganography and that is
almost by definition outside standards work.
The part of Prism that I consider to be blatantly unconstitutional is that
they keep all the emails so that they can search them years later
On Thu, Aug 22, 2013 at 1:20 AM, Daira Hopwood da...@jacaranda.org wrote:
On 20/08/13 19:26, Phillip Hallam-Baker wrote:
It is almost certain that most uses of EC would not infringe the
remaining patents.
But the patent holder can force anyone attempting to use them to spend
about $3-5
On Fri, Aug 23, 2013 at 6:02 PM, Philip Whitehouse phi...@whiuk.com wrote:
Let me just see if I get where you're going:
So essentially you've increased the number of CAs to the number of
companies without really solving the PRISM problem. The sheer number mean
it's impractical to do much
On Fri, Aug 23, 2013 at 6:42 PM, Joe St Sauver j...@oregon.uoregon.eduwrote:
I wouldn't take Snowden's alleged opsec practice, or lack thereof, as
a demonstration proof that PGP and/or S/MIME are impossibly difficult for
technical people (or even motivated NON-technical people) to use when
On Fri, Aug 23, 2013 at 3:34 PM, Ben Laurie b...@links.org wrote:
On 22 August 2013 10:36, Phillip Hallam-Baker hal...@gmail.com wrote:
Preventing key substitution will require a combination of the CT ideas
proposed by Ben Laurie (so catenate proof notaries etc) and some form of
'no key
It is almost certain that most uses of EC would not infringe the remaining
patents.
But the patent holder can force anyone attempting to use them to spend
about $3-5 million to defend their right to use EC and so there is very
little incentive to do so given that RSA 2048 is sufficient for almost
I think that fabricating a key here is more likely to mean fabricating an
authentication 'key' rather than an encryption key. Alexander is talking to
Congress and is deliberately being less than precise.
So I would think in terms of application level vulnerabilities in Web based
document servers.
I read an article today that claims one and a half million people have a
Top Secret clearance.
That kind of demonstrates how little Top Secret now means.
On Sun, Jun 30, 2013 at 2:16 PM, Florian Weimer f...@deneb.enyo.de wrote:
* John Gilmore:
[John here. Let's try some speculation about
74 matches
Mail list logo