Re: How much for a DoD X.509 certificate?
hi > Peter Gutmann wrote: > > http://www.wjla.com/news/stories/0305/210558.html > > http://www.wjla.com/news/stories/0105/200474.html ( 05.08.11 12:55 -0600 ) Anne & Lynn Wheeler: > one might claim that part of this is the lingering affinity to offline > credentials ... when most really secure operations have gone to online > and realtime operations ... as i understand it, the problem here was that credentials were issued by an untrustworthy agent. you can have this scenario both online and off. how does being online solve the problem of a compromised issuing authority? -- \js oblique strategy: imagine the music as a moving chain or caterpillar - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: why "penny black" etc. are not very useful (could crypto stop spam??)
hi Amir Herzberg wrote: E-mail (at least from new correspondents) must be signed by an `anti-spam mail certification authority (ASMCA)` - often the ISP of the sender. Recipient's mail client (or server) will reject mail (from new correspondents) not certified by a trustworthy ASMCA. ok, but is it a 'web of trust' model [pgp] with many decentralized ASMCAs [or whatever they're called], or a 'pay to play' model where an authority [verisign] decides which mail gets the bits or not. the technology exists, and would work. the problem [as is often the case], comes with the human interface to the technology. i am very skeptical of how much better things would be in a 'pay to play' scenario. we'd just get different kinds of spam without lessening the flow. - ASMCA's have strong incentive not to approve spam. if they can make more money by approving it, they will. i wish it were otherwise. -- \js ! VTABE NAPRV FFGER ATGU - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Monoculture
hi ( 03.09.30 20:39 -0700 ) [EMAIL PROTECTED]: > And, given the recent set of widely publicized flaws in openssl and > openssh, I think that concern about monoculture in cryptography > software is pretty damn well founded. except for the fact that these holes get fixed as opposed to the other flaws in the true monoculture computing environment [m$ windows] that get denied, then fixed [at a later date, and with no external review of the fix code possible]. the monoculture you refer to [ssl/ssh] is brought on by the effectiveness of this software to allow for some measure of secure network computing. a lot of people use it because it works. but you're probably just trolling anyway ... -- \js - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: End of the line for Ireland's dotcom star
hi ( 03.09.23 13:45 -0600 ) Anne & Lynn Wheeler: > is it still possible to show that there has been long term, > continuous, non-stop, highest security custodial care of the GTE > cybertrust CA private keys. If there hasn't ... would anybody even > know? i worked at cybertrust/baltimore up until about 3 years ago [like rats leaving a sinking ship ...].and, as you might imagine i have no idea what's going on with those keys. there was a big institutional fight over how much money to spend on putting those keys in the browsers, now pretty much meaningless. the keys were always well watched, at least while i was there. i had to work in that room a few times, and i was watched then too. the guy who ran the facility [like a tight ship] left shortly after i did, so i have even less faith in the integrity of those certs now than i would have otherwise because his replacement probably couldn't even tell you what TCP stands for. but as you imply, all bets are off now. -- \js - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: US Encryption Exports Clarified
hi [edited] > Finally this rule implements changes to the Wassenaar Arrangement List > that eliminate from Export Control Classification Number (ECCN) 5A002 > equipment specially designed and limited to controlling access to > copyright protected data. look- DCMA working to reduce encryption controls. who knew? -- \js - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: The real problem that https has conspicuously failed to fix
hi ( 03.06.10 01:52 - ) John R. Levine: > Crypto lets someone say "Hi! I absolutely definitely have a name > somewhat like the name of a large familiar organization, and I'd like > to steal your data!" and lots of users will say "OK, fine, whatever." i think this is more a problem with people than technology [crypto]. similarly, another aspect of the problem is the widespread unfamiliarity with digital credentials. again, this part could be 'solved' by teaching people instead of creating more technology. nothing is foolproof. we live in a dangerous world. -- \js - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: "PGP Encryption Proves Powerful"
hi ( 03.05.29 13:22 -0400 ) Ian Grigg: > Does anyone know of a repository for real life > attacks on crypto systems? bugtraq archives? perhaps due to the sensitive nature of encrypted data, many attacks may not be reported. and even if so, the reports may be incomplete, or misleading. -- \js - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]