Tim Dierks writes:
> I don't think it's an interesting solution. I don't see any interesting
> application that's possible with this system which you couldn't do with
> existing public-key cryptography: for example, I could write a protocol &
> software where you could request a public key from
martin f krafft writes:
> My point was that some commercial vendors (Check Point and others)
> claim, that if two partners want to perform a DH key exchange, they
> may use their two public keys for g and p. This, in effect, would
> mean that g and p were not globally known, but that the public key
Steven M. Bellovin wrote:
> Let me point folk at http://www.securityfocus.com/news/5654
> for a related issue. To put it very briefly, *real* authentication is
> hard.
It may be that real authentication is hard, but the unbelievably sloppy
practices of domain name registrars doesn't prove the cas
Jeffrey I. Schiller writes:
> Oh, and btw, the form posting URL in my message wasn't even https, it
> was just http. So all the futzing in the world with https wouldn't help!
Of course it would help. Have you been following this discussion
at all? The idea is to eliminate passwords as being of
The solution to this problem is simple. We want to be able to look
up keys on the key servers by email address or user name or keyid.
But we don't want the system to be useful for spam harvesting.
Simply require that lookups be by valid email address or user name.
Eliminate the wildcard searching
Tim Dierks wrote:
> - Get browser makers to design better ways to communicate to users that
> UI elements can be trusted. For example, a proposal I saw recently which
> would have the OS decorate the borders of "trusted" windows with facts or
> images that an attacker wouldn't be able to predic
Ryan Lackey writes:
> I need to find some relatively widely deployed applications which have
> frequent user interactions (rapid clicking on links, from as large a
> population of links as possible, and also form filling and such).
>
> (it should be pretty obvious what this is for)
It's not, real