Re: Maybe It's Snake Oil All the Way Down

2003-06-08 Thread Jaap-Henk Hoepman
I thought the 3G (UMTS) cellphones at least were going to use reasonably good crypto; don't know about the overall security architecture though. Jaap-Henk On Fri, 06 Jun 2003 14:30:04 -0400 Ian Grigg [EMAIL PROTECTED] writes: John Kelsey wrote: So, what can I do about it, as an individual?

Re: Maybe It's Snake Oil All the Way Down

2003-06-07 Thread Anonymous Sender
James A. Donald writes: Suppose the e-gold, to prevent this sea of spam trying to get people to login to fake e-gold sites, wanted people to use public keys instead of shared secrets, making your secret key the instrument that controls the account instead of your shared password. They

Re: Maybe It's Snake Oil All the Way Down

2003-06-07 Thread James A. Donald
-- On 6 Jun 2003 at 17:45, Anne Lynn Wheeler wrote: ??? public key registered in place of shared-secret? NACHA debit trials using digitally signed transactions did it with both software keys as well as hardware tokens. http://internetcouncil.nacha.org/News/news.html in the above scroll

RE: Maybe It's Snake Oil All the Way Down

2003-06-04 Thread Peter Gutmann
Lucky Green [EMAIL PROTECTED] writes: I trust that we can agree that the volume of traffic and number of transactions protected by SSL are orders of magnitude higher than those protected by SSH. As is the number of users of SSL. The overwhelming majority of which wouldn't know ssh from telnet.

Re: Maybe It's Snake Oil All the Way Down

2003-06-04 Thread Bill Frantz
At 7:42 AM -0700 6/3/03, John Kelsey wrote: I keep wondering how hard it would be to build a cordless phone system on top of 802.11b with some kind of decent encryption being used. I'd really like to be able to move from a digital spread spectrum cordless phone (which probably has a 16-bit key

Re: Maybe It's Snake Oil All the Way Down

2003-06-04 Thread Anne Lynn Wheeler
On Tue, 2003-06-03 at 07:04, Peter Gutmann wrote: That's a red herring. It happens to use X.509 as its preferred bit-bagging format for public keys, but that's about it. People use self-signed certs, certs from unknown CAs [0], etc etc, and you don't need certs at all if you don't need them,

Re: Maybe It's Snake Oil All the Way Down

2003-06-04 Thread Bill Stewart
At 11:38 AM 06/03/2003 -0400, Ian Grigg wrote: I (arbitratrily) define the marketplace for SSL as browsing. ... There, we can show statistics that indicate that SSL has penetrated to something slightly less than 1% of servers. For transmitting credit card numbers on web forms, I'd be surprised if

Re: Maybe It's Snake Oil All the Way Down

2003-06-04 Thread Eric Blossom
On Tue, Jun 03, 2003 at 06:17:12PM -0400, John Kelsey wrote: At 01:25 PM 6/3/03 -0700, Eric Blossom wrote: ... I agree end-to-end encryption is worthwhile if it's available, but even when someone's calling my cellphone from a normal landline phone, I'd like it if at least the over-the-air

Re: Maybe It's Snake Oil All the Way Down

2003-06-04 Thread Anne Lynn Wheeler
At 03:04 PM 6/3/2003 -0700, James A. Donald wrote: I never figured out how to use a certificate to authenticate a client to a web server, how to make a web form available to one client and not another. Where do I start? What I and everyone else does is use a shared secret, a password stored on

Re: Maybe It's Snake Oil All the Way Down

2003-06-04 Thread Ian Grigg
Tim Dierks wrote: At 09:11 AM 6/3/2003, Peter Gutmann wrote: Lucky Green [EMAIL PROTECTED] writes: Given that SSL use is orders of magnitude higher than that of SSH, with no change in sight, primarily due to SSL's ease-of-use, I am a bit puzzled by your assertion that ssh, not SSL, is

Re: Maybe It's Snake Oil All the Way Down

2003-06-03 Thread Amir Herzberg
Erik is right: there must be very strong motivation to consider using a cryptographic mechanism/protocol which is not `standard` (de-facto standards are Ok). When this motivation is supposedly improved security, the new (supposedly more secure) primitive should preferably be composed with a

Re: Maybe It's Snake Oil All the Way Down

2003-06-02 Thread Eric Rescorla
Scott Guthery [EMAIL PROTECTED] writes: When I drill down on the many pontifications made by computer security and cryptography experts all I find is given wisdom. Maybe the reason that folks roll their own is because as far as they can see that's what everyone does. Roll your own then whip

Re: Maybe It's Snake Oil All the Way Down

2003-06-02 Thread Eric Rescorla
Scott Guthery [EMAIL PROTECTED] writes: Suppose. Just suppose. That you figured out a factoring algorithm that was polynomial. What would you do? Would you post it immediately to cypherpunks?Well, OK, maybe you would but not everyone would. In fact some might even imagine they could

Re: Maybe It's Snake Oil All the Way Down

2003-06-02 Thread Adam Shostack
] | Subject: Re: Maybe It's Snake Oil All the Way Down | | | |There are a number of standard building blocks (3DES, AES, RSA, HMAC, |SSL, S/MIME, etc.). While none of these building blocks are known |to be secure .. | | So for the well-meaning naif