Re: [cryptography] Misuses/abuses of Sony's compromised root certificate?

2014-12-17 Thread Erwann Abalea
2014-12-17 21:41 GMT+01:00 Jeffrey Walton : > > Has anyone come across any reports of abuse due to Sony's compromised > root? I believe its named "Sony Corp. CA 2 Root"? > > I did not find it in the Windows 8.1 certificate store. Are any of the > browsers carrying it around? > Since Vista, you'll

Re: [cryptography] the spell is broken

2013-10-05 Thread Erwann Abalea
2013/10/4 Paul Wouters > [...] > People forget the NSA has two faces. One side is good. NIST and FIPS > and NSA are all related. One lesson here might be, only use FIPS when > the USG requires it. That said, a lot of FIPS still makes sense. I'm > surely not going to stick with md5 or sha1. > > W

Re: [cryptography] Paypal phish using EV certificate

2013-08-13 Thread Erwann Abalea
The serial number you find in the subject of an EV certificate is the registration number of the company (Paypal Inc, in Delaware). There's absolutely no problem in having different certificates with this repeating serial number (in the subject), as long as they are delivered to the right company.

Re: [cryptography] naming is hard as CAs now get to demonstrate

2013-04-13 Thread Erwann Abalea
Even with only perfect public CAs that do not issue certificates for unapproved namespaces, the problem persists. A company can have a private namespace (TLD) for its internal use, and a private CA, trusted by its employees. The mail server would have a name in this private namespace, with a certi

Re: [cryptography] another cert failure

2013-01-05 Thread Erwann Abalea
2013/1/5 Ryan Hurst > I've been unable to find a screenshot but this FAQ does suggest that there > is an explicit action required to enable HTTPS inspection: > https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk65123 > > I don't see anythin

Re: [cryptography] Just how bad is OpenSSL ?

2012-10-26 Thread Erwann Abalea
2012/10/26 John Case : [...] > And the hackernews discussion led me to "OpenSSL is written by monkeys": > > http://www.peereboom.us/assl/assl/html/openssl.html > > So, given what is in the stanford report and then reading this rant about > openssl, I am wondering just how bad openssl is ? I've nev

Re: [cryptography] best way to create entropy?

2012-10-12 Thread Erwann Abalea
Getting random out of spoofable radio signals? Good idea. 2012/10/12 Eugen Leitl : > - Forwarded message from "Naslund, Steve" - > > From: "Naslund, Steve" > Date: Thu, 11 Oct 2012 23:27:56 -0500 > To: na...@nanog.org > Subject: RE: best way to create entropy? > > I know that a popular m

Re: [cryptography] Devices and protocols that require PKCS 1.5 padding

2012-07-02 Thread Erwann Abalea
2012/7/2 Thor Lancelot Simon > [...] > Besides PGP, what other standard, widely-deployed protocols require the > use of padding types other than OAEP? > TLS, up to v1.2. PKCS#1v1.5 is mandatory. -- Erwann. ___ cryptography mailing list cryptography@r

Re: [cryptography] Microsoft Sub-CA used in malware signing

2012-06-11 Thread Erwann Abalea
2012/6/11 Ben Laurie > On Mon, Jun 11, 2012 at 1:56 AM, Nico Williams > wrote: > > On Sun, Jun 10, 2012 at 3:03 PM, Florian Weimer > wrote: > >> * Marsh Ray: > >> > >>> Marc Stevens and B.M.M. de Weger (of > >>> http://www.win.tue.nl/hashclash/rogue-ca/) have been looking at the > >>> collision

Re: [cryptography] Microsoft Sub-CA used in malware signing

2012-06-05 Thread Erwann Abalea
2012/6/5 Marsh Ray > [...] > > An excerpt: > "That’s right, every single enterprise user of Microsoft Terminal Services > on the planet had a CA key that could issue as many code signing > certificates they wanted and for any name they wanted." > > It sounds as if Windows users might have a milli

Re: [cryptography] Microsoft Sub-CA used in malware signing

2012-06-04 Thread Erwann Abalea
It's also not clear about what could have been done with TS certificates. Is it only codesigning, or TLS server as well? -- Erwann. Le 4 juin 2012 09:57, "Marsh Ray" a écrit : > > In case its not clear from the filenames (e.g. the email system drops them) there were three certs revoked. These a