Re: ECC patents?

2005-09-15 Thread Rich Salz
a license for part of the Certicom patents. I am sure that I'm not alone. /r$ -- Rich Salz, Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html

Re: Cross logins

2005-08-04 Thread Rich Salz
Is it possible for two web sites to arrange for cross logins? Check out SAML, esp the browser artifact profile. /r$ -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products

Re: the limits of crypto and authentication

2005-07-15 Thread Rich Salz
merchants they would for the time being treat SSL as card-present, in terms of fraud penalties, etc. If this is true (anyone here verify? My source is on the list if s/he wants to name themselves), then SSL/SET is an interesting example of betting on both sides. /r$ -- Rich Salz

Re: the limits of crypto and authentication

2005-07-14 Thread Rich Salz
I think that by eliminating the need for a merchant to learn information about your identity I have aimed higher. Given that we're talking about credit instruments, Wasn't that a goal of SET? /r$ -- Rich Salz Chief Security Architect DataPower Technology http

Re: Digital signatures have a big problem with meaning

2005-06-13 Thread Rich Salz
are fundamentally broken. :) /r$ -- Rich Salz, Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html - The Cryptography

Re: Digital signatures have a big problem with meaning

2005-06-07 Thread Rich Salz
to implement XML processing to do XML Digital Signatures The others are just blowing smoke, or proof by snarkiness. :) /r$ -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com

Re: Digital signatures have a big problem with meaning

2005-06-02 Thread Rich Salz
as a line of defense to screen out outsiders, rather than hold insiders liable. Loosly coupled, tightly contracted. /r$ -- Rich Salz, Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products

Re: Printers betray document secrets

2004-10-21 Thread Rich Salz
* Canon laser engine generated a unique microprint signature that could be traced back to a particular device. OEMs could buy the engine with or without the signature. If so, this has been going on, surruptitiously, for years. /r$ -- Rich Salz Chief Security Architect

NIST on TLS

2004-10-04 Thread Rich Salz
period for this document will be 30 days, ending on November 1st, 2004. Please direct all comments and questions to Matthew J. Fanto at [EMAIL PROTECTED] -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http

Re: Kerberos Design

2004-09-06 Thread Rich Salz
I've been trying to study Kerberos' design history in the recent past and have failed to come up with a good resource that explains why things are built the way they are. http://web.mit.edu/kerberos/www/dialogue.html /r$

Re: dual-use digital signature vulnerability

2004-07-22 Thread Rich Salz
. -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html

Re: Using crypto against Phishing, Spoofing and Spamming...

2004-07-15 Thread Rich Salz
secure then SET ever was. Since it wasn't a CCard transacdtion, my liability under SET was unlimited (at least until Congress caught up to the technology). Looking at the risk management aspect, SET was a big loser for the customer. /r$ -- Rich Salz Chief Security

Re: Passwords can sit on disk for years

2004-06-14 Thread Rich Salz
$ -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html

Security Architect Position at National Archives

2004-05-08 Thread Rich Salz
virtually any kind of electronic record, free from dependence on any specific hardware or software. (http://www.archives.gov/electronic_records_archives/index.html) -- Rich Salz, Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http

Re: Verisign CRL single point of failure

2004-03-31 Thread Rich Salz
with it? Once you see that a cert has expired, there's no need whatsoever to go look at the CRL. The point of a CRL is to revoke certificates prior to their expiration. /r$ -- Rich Salz, Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML

Re: Verisign CRL single point of failure

2004-03-31 Thread Rich Salz
two MSFT certificates: In the future, VRSN patches will be issued as MSFT software updates. -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security

Re: Ousourced Trust (was Re: Difference between TCPA-Hardware and a smart card and something else before

2003-12-29 Thread Rich Salz
(er, Kerberos inter-realm) flows. After all, there's only not many ways to do secure online trusted third-party authentication. /r$ -- Rich Salz, Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com

Re: Ousourced Trust (was Re: Difference between TCPA-Hardware and a smart card and something else before

2003-12-26 Thread Rich Salz
attribute is no big deal. With any luck, the new year will bring the analogy SOAP::other middleware as SAML::x.509 :) /r$ -- Rich Salz, Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com

Re: IP2Location.com Releases Database to Identify IP's Geography

2003-12-22 Thread Rich Salz
-server, not per-query, you could easily set up an international free service on a big piece of iron. /r$ -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security

Re: PKI root signing ceremony, etc.

2003-12-15 Thread Rich Salz
management, etc., is pretty good. (Having them tied to the key database, and having the keys be unlocked while making cert requests, are both real bad ideas, however.) /r$ -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML

PKI root signing ceremony, etc.

2003-12-14 Thread Rich Salz
using XML DSIG and Encryption. But hey, ya gotta start somewhere. /r$ -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http

Re: Open Source Embedded SSL - Export Questions

2003-11-26 Thread Rich Salz
note, what current patent/trademark issues have people run across with the algorithms mentioned above? Well, for the ones you mentioned, RSA and 3DES are unencumberd. RC4 is a trademark owned by RSA Data Security. So don't violate their trademark. /r$ -- Rich Salz Chief

Re: XML-proof UIDs

2003-11-17 Thread Rich Salz
now. That draft has been replaced by the UUID/URN draft that I mentioned. It includes all of the original text. Actually, I rewrote most of it so it reads better now. It's actually in the final comment period and should show up as an official RFC in few weeks. /r$ -- Rich Salz

Re: Open Source (was Simple SSL/TLS - Some Questions)

2003-10-07 Thread Rich Salz
on deciding what to call this library that is to-be-written, and how to license this library that is to-be-written, that time should be spent on, well, writing it. :) /r$ -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML

Re: using SMS challenge/response to secure web sites

2003-10-03 Thread Rich Salz
a number on a web page, and then they call you and you key in the number. They were founded in 1999; not sure if they're still active. /r$ -- Rich Salz, Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http

Re: Monoculture

2003-09-30 Thread Rich Salz
. The bytestream above is already bidirectional. -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html

Re: fyi: bear/enforcer open-source TCPA project

2003-09-11 Thread Rich Salz
stolen. You don't know that for software. /r$ -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev

Re: fyi: bear/enforcer open-source TCPA project

2003-09-11 Thread Rich Salz
And 'the public' doesn't include people like government level attackers? People like cryptography experts? People who like to play with things like this? No it doesn't. *It's not in the threat model.* /r$ -- Rich Salz, Chief Security Architect DataPower Technology

Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-06 Thread Rich Salz
On Fri, Sep 05, 2003 at 04:05:07PM -0400, Rich Salz wrote: It is the first *source code* certification. The ability to do this runs counter to my understanding of FIPS 140-2. Sure, that's why it's *the first.* They have never done this before, and it is very different to how

OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-05 Thread Rich Salz
/groups?dq=hl=enlr=ie=UTF-8threadm=bj9mos%242tbt%241%40FreeBSD.csie.NCTU.edu.twprev=/groups%3Fgroup%3Dmailing.openssl.users /r$ -- Rich Salz, Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com

Re: Session Fixation Vulnerability in Web Based Apps

2003-06-15 Thread Rich Salz
The framework, however, generally provides insecure cookies. No I'm confused. First you said it doesn't make things like the session-ID available, and I posted a URL to show otherwise. Now you're saying it's available but insecure? /r$ -- Rich Salz Chief Security

Re: Nullsoft's WASTE communication system

2003-06-01 Thread Rich Salz
It's utterly baffling to me why people like this choose to design their own thing rather than just using SSL. Totally agree. At this point in time, if it's a TCP based protocol and it isn't built on SSL/TLS, it should pretty much be treated as snake oil, I'd say. Perhaps some kind of