I'll point out that code reviews, and
crypto programming, are rarely done, and arguably shouldn't, by
programming wizards.
/r$
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapow
hey have a license for part of the Certicom patents.
I am sure that I'm not alone.
/r$
--
Rich Salz, Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/pro
> Is it possible for two web sites to arrange for cross
> logins?
Check out SAML, esp the browser artifact profile.
/r$
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapow
and/or MC
told merchants they would "for the time being" treat SSL as card-present,
in terms of fraud penalties, etc. If this is true (anyone here verify?
My source is on the list if s/he wants to name themselves), then SSL/SET
is an interesting example of betting on both sides.
> I think that by eliminating the need for a merchant to learn
> information about your identity I have aimed higher. Given that we're
> talking about credit instruments,
Wasn't that a goal of SET?
/r$
--
Rich Salz Chief Security Architect
D
ng works. I
guess that proves S/MIME and PGP are fundamentally broken. :)
/r$
--
Rich Salz, Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
---
I don't want to have to implement XML processing to do
XML Digital Signatures
The others are just blowing smoke, or "proof by snarkiness." :)
/r$
--
Rich Salz Chief Security Architect
DataPower Technology http://www.data
as a line of
defense to screen out outsiders, rather than hold insiders liable.
Loosly coupled, tightly contracted.
/r$
--
Rich Salz, Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/pro
that certified the target site, include a two-line corporate summary
and a link to their home page.
--
Rich Salz, Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.h
e of years ago, I was told that *every* Canon laser engine
generated a unique microprint signature that could be traced back to a
particular device. OEMs could buy the engine with or without the
signature. If so, this has been going on, surruptitiously, for years.
/r$
--
Rich Salz
period
for this document will be 30 days, ending on November 1st, 2004.
Please direct all comments and questions to Matthew J. Fanto at
[EMAIL PROTECTED]
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http
I've been trying to study Kerberos' design history in the recent past
and have failed to come up with a good resource that explains why things
are built the way they are.
http://web.mit.edu/kerberos/www/dialogue.html
/r$
-
g
an images, data representing text, numbers, audio, and video.
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
XML Security Overvie
ewpoint, CC/SSL is more secure then SET ever was. Since
it wasn't a CCard transacdtion, my liability under SET was unlimited (at
least until Congress caught up to the technology). Looking at the risk
management aspect, SET was a big loser for the customer.
/r$
--
Rich Salz
bably not in non-research use."
/r$
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
XML Security Overview http://www.dat
anism for preserving virtually any kind of
electronic record, free from dependence on any specific hardware or
software. (http://www.archives.gov/electronic_records_archives/index.html)
--
Rich Salz, Chief Security Architect
DataPower Technology http://www.datapower.com
XS40
the lesson when the erroneously issued
two MSFT certificates:
In the future, VRSN patches will be issued as MSFT
software updates.
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.data
to do with it? Once you see that a cert has expired,
there's no need whatsoever to go look at the CRL. The point of a CRL is
to revoke certificates prior to their expiration.
/r$
--
Rich Salz, Chief Security Architect
DataPower Technology http://www.datapower.co
Can someone explain to me why the expiring of a certificate causes new
massive CRL queries?
/r$
--
Rich Salz, Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
XML Security
cross-cell (er, Kerberos inter-realm) flows. After all, there's only not
many ways to do secure online trusted third-party authentication.
/r$
--
Rich Salz, Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://ww
uot; as just another attribute is no big deal. With any luck,
the new year will bring the analogy SOAP::other middleware as SAML::x.509 :)
/r$
--
Rich Salz, Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http
harge is per-server, not per-query, you could easily
set up an international free service on a big piece of iron.
/r$
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/x
ice for a Level-2 or small Level-1 CA. The template
management, etc., is pretty good. (Having them tied to the key database,
and having the keys be unlocked while making cert requests, are both
real bad ideas, however.)
/r$
--
Rich Salz Chief Security Architect
DataPowe
t make me feel very comfortable. Also, there's no discussion of key
management, auditing, etc. XCA is probably useful, but as a Level 1 CA,
not an enterprise root or management thereof. Those are the points I
tried to address in the column.
/r$
--
Rich Salz Chief Secu
using XML DSIG and
Encryption.
But hey, ya gotta start somewhere.
/r$
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
XML Security Overview http
quot;export strength" any more.)
> On a different, but similar legal note,
> what current patent/trademark issues have people run across with the
> algorithms mentioned above?
Well, for the ones you mentioned, RSA and 3DES are unencumberd.
RC4 is a trademark owned by RSA Data
UIDs, but I can't find
> it right now.
That draft has been replaced by the UUID/URN draft that I mentioned.
It includes all of the original text. Actually, I rewrote most of it
so it reads better now. It's actually in the final comment period and
should show up as an official RFC
> Does anyone have robust code to generate globally unique IDs which won't
> break XML parsing, and work on several platforms?
Look at the "UUID namesapce for URN's" internet-draft.
/r$
--
Rich Salz Chief Security Architect
DataP
utline a reasonable possibility?
I think that rather than spending time on deciding what to call this
library that is to-be-written, and how to license this library that is
to-be-written, that time should be spent on, well, writing it. :)
/r$
--
Rich Salz Chief Security Arch
want crypto API's written in Corba IDL or something just
like it? I'm not so sure. You pay a real price for that abstraction.
/r$
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapo
number on a web page, and then they call you and you key in
the number. They were founded in 1999; not sure if they're still active.
/r$
--
Rich Salz, Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway
certs on both sides and do mutual authentication.
The bytestream above is already bidirectional.
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
XML Security Over
And 'the public' doesn't include people like government level attackers?
People like cryptography experts? People who like to play with things like
this?
No it doesn't. *It's not in the threat model.*
/r$
--
Rich Salz, Chief Security Archi
hardware you *know* it's been stolen. You don't
know that for software.
/r$
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
XML Security Overview
> On Fri, Sep 05, 2003 at 04:05:07PM -0400, Rich Salz wrote:
> > It is the first *source code* certification.
>
> The ability to do this runs counter to my understanding of FIPS 140-2.
Sure, that's why it's *the first.* They have never done this before,
and it is very
libraries. In all three of those cases, you can take the
source and run it on your o/s, but you need to go get re-certified.
The more I think about it, the more amazing this is. Anyone in the world
can now build an SSL/TLS application and be FIPS 140-2L1 certified.
/r$
--
Rich Salz, Chief Sec
ails:
http://groups.google.com/groups?dq=&hl=en&lr=&ie=UTF-8&threadm=bj9mos%242tbt%241%40FreeBSD.csie.NCTU.edu.tw&prev=/groups%3Fgroup%3Dmailing.openssl.users
/r$
--
Rich Salz, Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gate
maller than SSL, and is certainly
less feature-ful.
Congrats on the learning exercise, Tom. Regretablly the big lesson
has avoided you so far.
/r$
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://ww
> The lib does not implement any other protocol like SSH/SSL/TLS [etc].
Can you explain why someone would prefer your new crypto mechanisms
over the well-studied SSL/TLS, IPsec, etc? From a security viewpoint;
let's call app size irrelevant.
/r$
--
Rich Salz
> The framework, however, generally provides insecure cookies.
No I'm confused. First you said it doesn't make things like the
session-ID available, and I posted a URL to show otherwise. Now you're
saying it's available but insecure?
/r$
--
Rich Salz
27;t
the same as "Connection: close" :)
The only thing in the cookie is an opaque identifer. It's purely
random bytes (for which OPenSSL's RANDbytes() is useful), that is
a key into a server-side table that has all the state. Depending
on the size, that table will be in-c
d
Care to try again?
/r$
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
XML Security Overview http://www.datapower.com/xml
tml?tag=fd_top:
See previous sentence. :)
/r$
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
XML Security Overview
e-commerce, with a "certificate"
re-assuring the nervous customer that they were handing their credit card
to jcrew.com, not, jscrew.com. Yes, SSL was invented to solve a
particular problem. They did a reasonable job at it.
/r$
--
Rich Salz Chief Securit
esents five compliance
defects that are inherent in public-key cryptography; these
defects make public-key cryptography more suitable for server-to-server
security than for desktop applications.
--
Rich Salz, Chief Security Architect
DataPower Technology http://www.datapow
ample, at
http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6
we see the question "How can I authenticate clients based on
certificates when I know all my clients?" and it's answer.
Similar questions are also answered.
/r$
--
Rich Salz Chief Secu
looked up hash and didn't
find news of a SHA break, then you should know to use SHA. That assumes
you've heard of SHA in the first place.
Perhaps a few "best practices" papers are in order. They might help
the secure (distributed) computing field a great deal.
/r$
> It's utterly baffling to me why people like this choose to design
> their own thing rather than just using SSL.
Totally agree. At this point in time, if it's a TCP based protocol
and it isn't built on SSL/TLS, it should pretty much be treated
as snake oil, I'd say. Perhaps some kind of evangel
48 matches
Mail list logo
