Re: Some thoughts on high-assurance certificates

2005-11-01 Thread Ed Reed
Peter - In the absence of a legal framework for defining, limiting and allocating liability, there's going to be nothing much better than reputation-based assurance for certificates, I'm afraid. The issues are systemic, and broad. They begin with the registration problem you cite. The problem

RE: Microsoft .NET PRNG (fwd)

2004-08-16 Thread Ed Reed
Been there, done that... Win95 Win98 are pretty programs running on DOS. I've generally taken FIPS 140-1 level 1 to be about whether you got the software right, not whether it protects secrets. Level 2 only relies on TCSEC or Common

Re: Question on the state of the security industry (second half not necessarily on topic)

2004-07-04 Thread Ed Reed
I recently had the same trouble with the Centers for Disease Control (CDC) - who were calling around to followup on infant influenza innoculations given last fall. Ultimately, they wanted me to provide authorization to them to receive HIPPA protected patient records from my son's pediatrician,

Re: Satellite eavesdropping of 802.11b traffic

2004-05-28 Thread Ed Reed
Why worry about satellites when car/plane/neighbor unpiloted remote controlled airplanes work so well? You're free-radiating electronic emissions. That's all a determined adversary needs. Or an opportunistic war-driving script-kiddie, for that matter. John Kelsey [EMAIL PROTECTED] 5/27/2004

Ousourced Trust (was Re: Difference between TCPA-Hardware and a smart card and something else before

2003-12-23 Thread Ed Reed
Ian Grigg [EMAIL PROTECTED] 12/20/2003 12:15:51 PM One of the (many) reasons that PKI failed is that businesses simply don't outsource trust. Of course they do. Examples: DB and other credit reporting agencies. SEC for fair reporting of financial results. International Banking Letters of

Re: example: secure computing kernel needed

2003-12-22 Thread Ed Reed
Remote attestation has use in applications requiring accountability of the user, as a way for cooperating processes to satisfy themselves that configurations and state are as they're expected to be, and not screwed up somehow. There are many business uses for such things, like checking to see if