On 20/09/11 21:48, Peter Gutmann wrote:
...to sign their code.
...I get the impression they see
security as a nuisance to be bypassed rather than a real requirement.
I'd like to assure you that code signing and the associated need
to buy a certificate service from a third party is viewed as a
On 09/18/2011 11:59 AM, Peter Gutmann wrote:
Arshad Noorarshad.n...@strongauth.com writes:
Just because you come across one compromised CA out of 100 in the browser,
does not imply that the remaining 99 are compromised (which is what you are
implying with your statement).
Since browser PKI
On 09/18/2011 11:57 AM, Peter Gutmann wrote:
Arshad Noorarshad.n...@strongauth.com writes:
Are there weaknesses in PKI? Undoubtedly! But, there are failures in every
ecosystem. The intelligent response to certificate manufacturing and
distribution weaknesses is to improve the quality of
On Wed, Sep 21, 2011 at 12:30 PM, Arshad Noor
arshad.n...@strongauth.com wrote:
On 09/18/2011 11:59 AM, Peter Gutmann wrote:
Arshad Noorarshad.n...@strongauth.com writes:
Just because you come across one compromised CA out of 100 in the
browser,
does not imply that the remaining 99 are
Hi all,
On 22/09/11 02:30 AM, Arshad Noor wrote:
On 09/18/2011 11:59 AM, Peter Gutmann wrote:
Arshad Noorarshad.n...@strongauth.com writes:
Just because you come across one compromised CA out of 100 in the
browser,
does not imply that the remaining 99 are compromised (which is what
you are
On Wed, Sep 21, 2011 at 11:30 AM, ianG i...@iang.org wrote:
It's a good term! Add my use: There is a universal implicit
cross-certification in the secure browsing PKI, and the industry knows it,
or should know it.
Indeed, we can show evidence of this in Chrome's CA pinning.
I had assumed
On 22/09/11 00:56 AM, Joe St Sauver wrote:
#Anybody want to put forward a conjecture about the response to this pop-up
#across the population of e-mail users?
Naturally, users (or their support staff) will disable OCSP/CRL checking to
make the pop-ups stop happening.
C.f., revocation is
On Wed, Sep 21, 2011 at 2:27 PM, Joe St Sauver j...@oregon.uoregon.edu wrote:
Well, its obviously not quite that easy yet, but users can currently get
a free client cert by visiting a web page and filling out a form, and
IanG's point was that there should be no web page, no form. You know
how
Chris Palmer commented:
# Well, its obviously not quite that easy yet, but users can currently get
# a free client cert by visiting a web page and filling out a form, and
#
#IanG's point was that there should be no web page, no form. You know
#how sshd generates a host key when there isn't one
On 2011-09-22 8:20 AM, Joe St Sauver wrote:
Understood that would be the zipless ideal, but how would the binding
of the private/public keypair to the email address occur then, eh?
Email client generates private/public keypair. Sends public key to CA
server. CA server certifies that the
On 2011-09-22 5:08 AM, ianG wrote:
All email client vendors had to do to give smime a chance in life was to
make it easy to generate and use a cert. Automatically. Add an account,
generate a cert. The rest can follow in due course...
Dunno why, but the architecture seems to be an exercise in
On 21/09/11 06:59, Chris Palmer wrote:
Please look into how code signing on Android works and what it means.
A quick summary would be appreciated, especially on the meaning part.
M.R.
___
cryptography mailing list
cryptography@randombit.net
12 matches
Mail list logo
