On Mon, 2 Aug 2010 16:20:01 -0500 Nicolas Williams
nicolas.willi...@oracle.com wrote:
But users have to help you establish the context. Have you ever
been prompted about invalid certs when navigating to pages where
you couldn't have cared less about the server's ID? On the web,
when does
On 08/01/2010 01:51 PM, Jeffrey I. Schiller wrote:
I remember them well. Indeed these protocols, presumably you are
talking about Secure Electronic Transactions (SET), were a major
improvement over SSL, but adoption was killed by not only failing the
give the merchants a break on the fraud
On 1/08/10 9:08 PM, Peter Gutmann wrote:
John Levinejo...@iecc.com writes:
Geotrust, to pick the one I use, has a warranty of $10K on their cheap certs
and $150K on their green bar certs. Scroll down to the bottom of this page
where it says Protection Plan:
On Sat, Jul 31, 2010 at 12:32:39PM -0400, Perry E. Metzger wrote:
[...]
3 Any security system that demands that users be educated,
i.e. which requires that users make complicated security decisions
during the course of routine work, is doomed to fail.
[...]
I would amend this to say which
minor addenda about speeds feeds concerning the example of mid-90s payment
protocol specification that had enormous PKI/certificate bloat ... and SSL.
The original SSL security was predicated on the user understanding the
relationship between the webserver they thought they were talking to,
On Sun, Aug 01, 2010 at 11:20:51PM +1200, Peter Gutmann wrote:
But, if you query an online database, how do you authenticate its answer? If
you use a key for that or SSL certificate, I see a chicken-and-egg problem.
What's your threat model?
My threat model is practice.
I assume Perry
Inspired by recent discussion, these are my theses, which I hereby
nail upon the virtual church door:
1 If you can do an online check for the validity of a key, there is no
need for a long-lived signed certificate, since you could simply ask
a database in real time whether the holder of the
corollary to security proportional to risk is parameterized risk management
... where variety of technologies with varying integrity levels can co-exist within the same
infrastructure/framework. transactions exceeding particularly technology risk/integrity threshold
may still be approved given
Nice theses. I'm looking forward to the other 94. The first one is a
nice summary of why DKIM might succeed in e-mail security where S/MIME
failed. (Succeed as in, people actually use it.)
2 A third party attestation, e.g. any certificate issued by any modern
CA, is worth exactly as much as
Perry E. Metzger pe...@piermont.com writes:
Inspired by recent discussion, these are my theses, which I hereby nail upon
the virtual church door:
Are we allowed to play peanut gallery for this?
1 If you can do an online check for the validity of a key, there is no
need for a long-lived signed
Usability engineering requires empathy. Isn't it interesting that nerds
built themselves a system, SSH, that mostly adheres to Perry's theses? We
nerds have empathy for ourselves. But when it comes to a system for other
people, we suddenly lose all empathy and design a system that ignores
Perry's
11 matches
Mail list logo