As I said, at this rate we shall have statistically meaningful large
numbers of CA hacks by 2013:
http://translate.google.com/translate?sl=autotl=enjs=nprev=_thl=enie=UTF-8layout=2eotf=1u=http%3A%2F%2Fwebwereld.nl%2Fnieuws%2F108815%2Fweer-certificatenleverancier-overheid-gehackt.htmlact=url
Did they successfully hack the CA functionality or just a web site housing
network design documents for various dutch government entities? From what
survives google translate of the original dutch it appears to be the latter
no?
And if Kerckhoff's principle was followed what does it matter if
Is anyone aware of a CA that actually maintains its signing
secrets on secured, airgapped machines, with transfers batched and
done purely by sneakernet?
--
Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org
__
ICBM:
On 12/07/11 14:42, William Whyte wrote:
Well, I think the theoretically correct answer is that you *should*...
these days all the installers can be available online, after all.
Except when the installer CD you need is the one for the network driver
on the new machine without which you can't
On 12/08/2011 09:16 AM, Darren J Moffat wrote:
On 12/07/11 14:42, William Whyte wrote:
Well, I think the theoretically correct answer is that you *should*...
these days all the installers can be available online, after all.
Except when the installer CD you need is the one for the network
2011/12/7 Marsh Ray ma...@extendedsubset.com:
On 12/07/2011 07:01 PM, lodewijk andré de la porte wrote:
I figured it'd be effective to create a security awareness group
figuring the most prominent (and only effective) way to show people
security is a priority is by placing a simple marking,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/08/2011 09:54 AM, Eugen Leitl wrote:
Is anyone aware of a CA that actually maintains its signing secrets
on secured, airgapped machines, with transfers batched and done
purely by sneakernet?
Only for one company that went out of business in
Hi,
Did they successfully hack the CA functionality or just a web site housing
network design documents for various dutch government entities? From what
survives google translate of the original dutch it appears to be the latter
no?
Too early for a definite call. But there is also this
I am aware of at least one public CA - still in business - that
fits this description.
Every private PKI we have setup since 1999 (more than a dozen, of
which a few were for the largest companies in the world) has had
the Root CA on a non-networked machine with commensurate controls
to protect
David Ulevitch is rolling out OpenDNS http://david.ulevitch.com/
What do you think?
--Michael
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
On Wed, Dec 7, 2011 at 4:32 PM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote:
In the presence of such a [self-revoking] revocation [of a root certificate]
applications can react in one of three ways: they can accept the CRL
that revokes the certificate as valid and revoke it, they can reject
On 12/08/2011 01:09 PM, jd.cypherpunks wrote:
David Ulevitch is rolling out OpenDNS http://david.ulevitch.com/
What do you think?
I assume you're talking about their new DNSCrypt application.
They seem to be saying it's an implementation of DJB's DNSCurve protocol.
From: jd.cypherpunks jd.cypherpu...@gmail.com
David Ulevitch is rolling out OpenDNS http://david.ulevitch.com/
What do you think?
He's been running https://www.opendns.com/ for quite some time.
I read somewhere that the project is making $200K a month by selling the
redirects, but a) That
Ralph Holz h...@net.in.tum.de writes:
As I said, at this rate we shall have statistically meaningful large
numbers of CA hacks by 2013:
KPN is claiming there's nothing to worry about, please move along:
Arshad Noor arshad.n...@strongauth.com writes:
Every private PKI we have setup since 1999 (more than a dozen, of which a few
were for the largest companies in the world) has had the Root CA on a
non-networked machine with commensurate controls to protect the CA.
What about TSAs, where you need
Peter Gutmann writes:
-+---
| This means that once a particular signed binary has been detected
| as being malware the virus scanner can extract the signing
| certificate and know that anything else that contains that
| particular certificate will also be malware, with the
d...@geer.org writes:
One would assume that the effort to get such a signing certificate would
persuade the bad team to use that cert for targeted attacks, not broadcast
ones, in which case you would be damned lucky to find it in a place where you
could then encapsulate it in a signature-based
17 matches
Mail list logo
