On Tue, Sep 10, 2013 at 07:05:40PM -0400, Perry E. Metzger wrote:
> On Tue, 10 Sep 2013 21:58:28 + bmann...@vacation.karoshi.com
> wrote:
> > some years back, i was part of a debate on the relative value of
> > crypto - and it was pointed out that for some sectors, crypto
> > ensured _failure_
much of the discussion these past few weeks seems to be centered on channel and
container
protection, secure paths, encrypted file systems, etc. much effort has gone
into ensureing
opaque environments for data to flow. and while interesting and perhaps
useful, not a whole lot
of effort se
On Sun, Aug 22, 2010 at 11:51:01AM -0400, Anne & Lynn Wheeler wrote:
> On 08/22/2010 06:56 AM, Jakob Schlyter wrote:
> >There are a lot of work going on in this area, including how to use secure
> >DNS to
> >associate the key that appears in a TLS server's certificate with the the
> >intended
> >
On Sat, Jul 17, 2010 at 10:41:10AM -0400, Paul Wouters wrote:
> On Fri, 16 Jul 2010, Taral wrote:
>
> >Neat, but not (yet) useful... only these TLDs have DS records:
>
> The rest will follow soon. And it is not that you had to stop those
> TLD trust anchors just now.
actually, soon is a
On Tue, Oct 20, 2009 at 09:20:04AM -0400, William Allen Simpson wrote:
> Nicolas Williams wrote:
> >Getting DNSSEC deployed with sufficiently large KSKs should be priority #1.
> >
> I agree. Let's get something deployed, as that will lead to testing.
>
>
> >If 90 days for the 1024-bit ZSKs is to
On Wed, Oct 14, 2009 at 07:22:27PM -0400, Perry E. Metzger wrote:
>
> bmann...@vacation.karoshi.com writes:
> > On Wed, Oct 14, 2009 at 06:24:06PM -0400, Perry E. Metzger wrote:
> >> Ekr has a very good blog posting on what seems like a bad security
> >> decision being made by Verisign on manageme
On Wed, Oct 14, 2009 at 06:24:06PM -0400, Perry E. Metzger wrote:
>
> Ekr has a very good blog posting on what seems like a bad security
> decision being made by Verisign on management of the DNS root key.
>
> http://www.educatedguesswork.org/2009/10/on_the_security_of_zsk_rollove.html
>
> In su
On Fri, Nov 14, 2008 at 02:29:24PM -0700, Chad Perrin wrote:
> On Fri, Nov 14, 2008 at 01:26:29PM +, [EMAIL PROTECTED] wrote:
> > (snicker) from the local firefox
> >
> >
> > en-us.add-ons.mozilla.com:443 uses an invalid security certificate.
> >
> > The certificate is not trusted becau
(snicker) from the local firefox
en-us.add-ons.mozilla.com:443 uses an invalid security certificate.
The certificate is not trusted because the issuer certificate is not trusted.
(Error code: sec_error_untrusted_issuer)
--bill
--
On Sat, Mar 22, 2008 at 02:46:40PM +, Ben Laurie wrote:
> [EMAIL PROTECTED] wrote:
> > Er... Allow me the option o fdisbeleiving your assertion.
> > PTR records can and do point to mutiple names. Some narrow
> > implementations have assumed that there will only be a single
> >
On Sat, Mar 22, 2008 at 10:59:18AM +, Ben Laurie wrote:
> [EMAIL PROTECTED] wrote:
> >On Fri, Mar 21, 2008 at 08:52:07AM +1000, James A. Donald wrote:
> >>From time to time I hear that DNSSEC is working fine, and on examining
> >>the matter I find it is "working fine" except that
> >>
> >
On Fri, Mar 21, 2008 at 08:52:07AM +1000, James A. Donald wrote:
> From time to time I hear that DNSSEC is working fine, and on examining
> the matter I find it is "working fine" except that
>
> Seems to me that if DNSSEC is actually working fine, I should be able to
> provide an authoritat
On Sun, Sep 10, 2006 at 08:30:53AM +1000, James A. Donald wrote:
> --
> Ben Laurie wrote:
> > Subject:
> > [dnsop] BIND and OpenSSL's RSA signature forging issue
> > From:
> > Ben Laurie <[EMAIL PROTECTED]>
> > Date:
> > Fri, 08 Sep 2006 11:40:44 +0100
> > To:
> > DNSEXT WG , "(DNSSEC deploymen
nice paper. note that it claims this paper is being published to
establish IPR claims. there is prior art in several vectors.
you may wish to consider the following (although now expired)
Internet Drafts:
draft-ietf-dnsext-trustupdate-threshold-00
and a similar one authored by Mike StJohns.
thats pretty much DNSSEC, now eleven years old.
or - presuming DNS is fine w/o integrity checks,
one should look at the rational for the creation
of the CERT (x509) resource record back in 1999
and documented in RFC 2538.
>
>
>
> yahoo draft internet sta
> http://news.nationalgeographic.com/news/2004/02/0205_040205_slavequilts.html
>
> CCH
IRA award, Reading Rainbow Book : Sweet Clara and the Freedom Quilt
by D.Hopkinson
Childrens Book of the Month Selection. Published 1993
--bill
--
>
> At 09:57 AM 9/10/2003 -0700, [EMAIL PROTECTED] wrote:
> > ok... does anyone else want to "touch" a secured DNS system
> > that has some parts fo the tree fully signed? Its a way to
> > get some emperical understanding of how interesting/hard
> > it is to hamme
>
> At 03:39 AM 9/10/2003 -0700, [EMAIL PROTECTED] wrote:
> > There are some other problems w/ using the DNS.
> > No revolkation process.
> > DNS caching
> > third-party trust (DNS admins != delegation holder)
>
> Given high value &/or low t
> >certificate requests coming into a CA/PKI can be digitally signed, the
> >CA/PKI can retrieve the authoritative authentication public key (for the
> >domain name ownership) from the domain name infrastructure and
> >authenticate the request eliminating all the identification gorp (and
>
19 matches
Mail list logo