to work on that around 1998, they
might still have some of that design around.
--Paul Hoffman
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
Also see RFC 3766 from almost a decade ago; it has stood up fairly well.
--Paul Hoffman
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
On Sep 4, 2013, at 2:15 PM, Andy Steingruebl stein...@gmail.com wrote:
As of Jan-2014 CAs are forbidden from issuing/signing anything less than 2048
certs.
For some value of forbidden. :-)
--Paul Hoffman
___
The cryptography mailing list
vendor keeps that key, usually in cert form, in its
trust anchor pile. You should not extrapolate *anything* from the contents of
the CA cert except the key itself and the proclaimed name associated with it.
--Paul Hoffman, Director
--VPN Consortium
At 5:33 PM -0400 9/14/10, Thor Lancelot Simon wrote:
On Tue, Sep 14, 2010 at 08:14:59AM -0700, Paul Hoffman wrote:
At 10:57 AM -0400 9/14/10, Perry E. Metzger did not write, but passed on for
someone else:
This suggests to me that even if NIST is correct that 2048 bit RSA
keys
At 11:35 AM +1000 8/16/10, Arash Partow wrote:
Paul Hoffman wrote:
You are under the wrong impression, unless you are reading vastly different
crypto literature than the rest of us are. RSA-1024 *might* be possible to
break in public at some point in the next decade, and RSA-2048 is a few
are under the wrong impression, unless you are reading vastly different
crypto literature than the rest of us are. RSA-1024 *might* be possible to
break in public at some point in the next decade, and RSA-2048 is a few orders
of magnitude harder than that.
--Paul Hoffman, Director
--VPN Consortium
a unique state (because
they might start within the same refresh. If you need that, you probably want
to automatically mix a microsecond-accurate time at the same time.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography
.
insert chide about your criticism of the exact shade of red used on the
curtains in the theater
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord
, and there is
money to be thrown down the drain^w^w^wat them, there will be active
development.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord
?
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
changes needed when one algorithm
fails is low. Later software updates that contain other changes can also
include new algorithms that are suspected to be good even if all of the
original ones fail.
--Paul Hoffman, Director
--VPN Consortium
At 7:10 PM -0700 8/19/09, james hughes wrote:
On Aug 19, 2009, at 3:28 PM, Paul Hoffman wrote:
I understand that creaking is not a technical cryptography term, but
certainly is. When do we become certain that devastating attacks on one
feature of hash functions (collision resistance) have any
without any hint of preimage attacks, the less
certain I am that collision attacks are even related to preimage attacks.
Of course, I still believe in hash algorithm agility: regardless of how
preimage attacks will be found, we need to be able to deal with them
immediately.
--Paul Hoffman
At 2:46 PM -0700 8/19/09, Greg Rose wrote:
...some summaries of some of the presentations...
More like this, please! The rump sessions have a lot of value (beyond the
often-strained attempts at humor).
--Paul Hoffman, Director
--VPN Consortium
At 7:54 AM -0600 7/18/09, Zooko Wilcox-O'Hearn wrote:
This involves deciding whether a 192-bit elliptic curve public key is strong
enough...
Why not just go with 256-bit EC (128-bit symmetric strength)? Is the 8 bytes
per signature the issue, or the extra compute time?
--Paul Hoffman, Director
At 11:09 PM +0200 7/14/09, Weger, B.M.M. de wrote:
Any other problems? Maybe something with key rollover or
interoperability?
Bingo. Key rollover has been thinly tested in relying parties.
--Paul Hoffman, Director
--VPN Consortium
definition, and they can't make MD6 work within that definition.
But that doesn't mean that NIST wouldn't have accepted the fast-enough MD6 with
a proof from someone else.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography
or not NIST would really rely on the
proofs. It was clear they didn't want to withdraw MD6, but that they felt like
they had to because of the speed requirement.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing
* 1024) of brute force? That is a
silly reduction; reducing it to anything less than the estimate for NFS (about
80 bits) is not useful. Or, can this attack be combined with NFS? Or...?
--Paul Hoffman, Director
--VPN Consortium
on this list used the book to teach a class? If so, did you create a
list of discussion questions? Or, do people know profs who have used the book
to teach? Any pointers are appreciated.
--Paul Hoffman
-
The Cryptography Mailing
on this list and in the press are sloppy about
security decisions that involve periods of time longer than about a year.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe
At 6:02 PM +0200 5/8/09, R. Hirschfeld wrote:
Date: Tue, 5 May 2009 10:17:00 -0700
From: Paul Hoffman paul.hoff...@vpnc.org
the CA fixed the problem and researched all related problems that it
could find.
From what I've read of the incident (I think it's the one referred
to), Comodo
At 1:02 AM +1200 5/7/09, Peter Gutmann wrote:
Paul Hoffman paul.hoff...@vpnc.org writes:
Peter, you really need more detents on the knob for your hyperbole setting.
nothing happened is flat-out wrong: the CA fixed the problem and researched
all related problems that it could find. Perhaps you
should be ready to answer who will benefit from the punishment
and in what way should the CA be punished. (You don't have to answer these,
of course: you can just mete out punishment because it makes you feel good and
powerful. There is lots of history of that.)
--Paul Hoffman, Director
--VPN
At 6:44 PM -0400 5/5/09, Jerry Leichter wrote:
On May 5, 2009, at 1:17 PM, Paul Hoffman wrote:
...This leads to the question: if a CA in a trust anchor pile does something
wrong (terribly wrong, in this case) and fixes it, should they be punished?
If you say yes, you should be ready to answer
on security issues.
http://gcn.com/articles/2009/01/23/obama-gets-super-secure-smartphone.aspx
I too would like to hear more information on this, particularly the crypto that
is known to be used on the Edge.
--Paul Hoffman, Director
--VPN Consortium
that there is a straight-line loss of bits, you would
have to be believing that the attack is much worse for SHA2/384 than it was for
SHA2/256 in order to bring the output down to the level that I need.
--Paul Hoffman, Director
--VPN Consortium
.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
the pain is avoided:
Yes+. That's why we designed IDNA that way.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
At 11:08 AM -0700 8/21/08, Greg Rose wrote:
Adi mentioned that the slides and paper will go online around the
deadline for Eurocrypt submission; it will all become much clearer
than my wounded explanations then.
There now: http://eprint.iacr.org/2008/385
--Paul Hoffman, Director
--VPN
is that people who have
more stake in the game (Mozilla Inc.) have spent longer thinking
about this than we give them credit for and come to the design
decisions that they have.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography
have similarly poor security. Knowing this, do you
wish to continue anyway?
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
that is is quite expensive. I
suspect that nearly everyone in the country would be happy to pay an
additional $1/election for more reliable results.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
.
I understand most current browsers support OCSP.
...and only a tiny number of CAs do so.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL
to above), code changes and a universal
rollout in all DNS software (which you allude to at the end), and
stable rollout of the DNSSEC trust anchor system in every significant
zone and all resolvers.
FWIW, only the latter has anything to do with this mailing list...
--Paul Hoffman, Director
make nearly as much difference as a diligent security expert with a
good name.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
of opacity.
So, I agree with Peter that that article is probably correct about protocols.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
uncomplicated, modulo initial setup.
And, if you want to host on FreeBSD instead of Linux, see
http://www.rootbsd.net/. Same price, good service.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe
At 10:25 AM +0100 5/15/08, Ben Laurie wrote:
Paul Hoffman wrote:
I'm confused about two statements here:
At 2:10 PM +0100 5/13/08, Ben Laurie wrote:
The result of this is that for the last two years (from Debian's
Edgy release until now), anyone doing pretty much any crypto on
Debian
More interesting threadage about the issue here:
http://taint.org/2008/05/13/153959a.html, particularly in the
comments.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending
? It
seems like a pretty flimsy straw man.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
that SSL/TLS can protect email
privacy,
That's not what I asked, of course.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
and the other two could wither over the ensuing
decades. If we're lucky.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
from last week.
I watched the webcast of the rump session, and Christian Rechberger
said that they think they will get 2^60ish with a new technique. He
did not describe the technique in any detail. Offline, he has told me
that there will be papers published.
--Paul Hoffman, Director
--VPN
new cryptanalytic methods... sounds great, but is
meaningless without specifics.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
, or what.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
At 7:58 PM +1200 7/20/07, [EMAIL PROTECTED] wrote:
Paul Hoffman [EMAIL PROTECTED] writes:
At 2:45 AM +1200 7/20/07, [EMAIL PROTECTED] wrote:
|From a security point of view, this is really bad. From a
usability point of
|view, it's necessary.
As you can see from my list of proposed solutions
are about to put it back in.
Note that I did not criticize the practice of starting with a zillion
roots that Microsoft trusts.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending
the cost of the end
boxes for still-useful DH.
Oh, and all the above is ignoring that DH works over multiple hops of
different media, and quantum crypto doesn't (yet, maybe ever).
--Paul Hoffman, Director
--VPN Consortium
At 2:49 PM -0500 6/26/07, Nicolas Williams wrote:
On Fri, Jun 22, 2007 at 10:43:16AM -0700, Paul Hoffman wrote:
This was discussed many times, and always rejected as not good
enough by the purists. Then the IETF created the BTNS Working Group
which is spending huge amounts of time getting
this other actually secure stuff).
Whereas I was in the camp of liking the name very much for the very
reason that this thread was started: because it lets you encrypt an
arbitrary conversation with essentially no startup cost.
--Paul Hoffman, Director
--VPN Consortium
the attacker has the ability to perform 2^128 or
more operations, which he doesn't.
Which part of the word useless is not apparent here?
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending
by the purists. Then the IETF created the BTNS Working Group
which is spending huge amounts of time getting close to purity again.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe
.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
years ago.
As far
as I know, there isn't even a way to store mail routing information in
X.509 certificates.
Why would you need to? SMTP-over-TLS only identifies the system to
whom you are speaking. No routing inforation is needed or wanted.
--Paul Hoffman, Director
--VPN Consortium
For the math weenies on the list, see the full announcement here:
http://listserv.nodak.edu/cgi-bin/wa.exe?A2=ind0705L=nmbrthryT=0P=1019.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe
migration.
That's good of you not to expect it, given that zero of the major CAs
seem to support ECC certs today, and even if they did, those certs
would not work in IE on XP.
--Paul Hoffman, Director
--VPN Consortium
on those machines.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
professionals without
any negative consequences?
Because doing so can get things finished earlier and/or make a more
efficient protocol.
Same as it ever was.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
At 7:26 PM -0400 4/5/07, Thor Lancelot Simon wrote:
On Thu, Apr 05, 2007 at 07:32:09AM -0700, Paul Hoffman wrote:
Control: The root signing key only controls the contents of the root,
not any level below the root.
That is, of course, false,
This is, of course false. In order to control
At 7:54 PM -0400 4/5/07, Thor Lancelot Simon wrote:
On Thu, Apr 05, 2007 at 04:49:33PM -0700, Paul Hoffman wrote:
because, with it, one can sign the appropriate
chain of keys to forge records for any zone one likes.
If the owner of any key signs below their level, it is immediately
/ months will be spent finger-pointing instead of fixing.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
in the ISP community even before this event: many
are not sure they trust ICANN itself, much less its current sponsor.
Note that I'm not supporting the US signing the root in the least.
I'm just saying that predicting doom is grossly premature.
/anti-rant
--Paul Hoffman, Director
--VPN Consortium
after SHA-1 needs to stop being used.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
are in the second group. It looks like NIST sided with the
first group, but it will be interesting if the folks in the second
group are vocal during the coming few years.
--Paul Hoffman, Director
--VPN Consortium
it down one layer in the
stack. At least that way you'll know the security properties of what
you create.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe
a good one.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
algorithm like AES, there are probably a dozen people on
this mailing list who could sanity check your product's
implementation of AES (and probably even of key storage) in less than
50 hours of consulting time,
--Paul Hoffman, Director
--VPN Consortium
to signing all
outgoing mail, not looking to see oh, if it is James, don't sign it
because he won't like it.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography
not. The receiving MTA *and/or* MUA can verify signatures.
That is clearly covered in the protocol document.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL
.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
email -- I even let you choose any secure method that you want.
Yes, I could. But I won't bother. :-)
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography
actually work but no one uses it. They briefly say why:
key management. Not being easy enough to use is quite different than
NOT actually working.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
at the
Paris IETF meeting was that the IETF should *not* propose solutions
to the problem. That is why the BOF did not turn into a Working Group
and why there has been little discussion of the proposed solutions in
the relevant IETF working groups.
--Paul Hoffman, Director
--VPN Consortium
, but doesn't
have the personpower to do so in a predictable fashion.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
and change the paramters to
your heart's content (assuming you have root privs).
(...Other Linux-specific complaints elided...)
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending
the willies when I see the
security clue of the folks running the site.
FWIW, I have never had a problem changing my password to something
very long and all-alphabetic, even if I don't include at least one
capital letter and one digit or whatever the CYA rules for passwords
are these days.
--Paul
protocol with many within-packet and
within-stream dependencies. These cannot be resolved by proper
programming tools unless those tools are specifically crafted for
IKE. SSL/TLS probably suffers the same fate.
--Paul Hoffman, Director
--VPN Consortium
that it
applies to some SSL/TLS implementations, of course using very
different malformed packets.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL
.
Humorously, security folks seem to have ignored this when designing
our protocols.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
secure.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
?
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
At 9:32 AM -0700 9/12/05, James A. Donald wrote:
It has been a long time, and no one has paid out
money on an ECC patent yet.
That's pretty bold statement that folks at Certicom might disagree
with, even before
http://www1.ietf.org/proceedings_new/04nov/slides/saag-2/sld1.htm.
--Paul
.
Bingo.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
85 matches
Mail list logo