On 5/06/12 23:46 PM, Thierry Moreau wrote:
Hi Peter,
Replying on the thinking process, not on the fundamentals at this time
(we seem to agree on the characteristics of PKC vs else).
Peter Gutmann wrote:
Thierry Moreau thierry.mor...@connotech.com writes:
Unless automated SSH sessions are
On 6/2/12 6:15 AM, Joe St Sauver wrote:
ianG asked:
#Would it be possible to describe in general words what LOA-1 thru 4 entails?
I hesitate to try to do so. The definitive answer can be found in
http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf
The latest version,
Thierry Moreau thierry.mor...@connotech.com writes:
Unless automated SSH sessions are needed (which is a different problem
space), the SSH session is directly controlled by a user. Then, the private
key is stored encrypted on long term storage (swap space vulnerability
remaining, admittedly) and
passwords are insecure, PKCs are secure, therefore anything
that uses PKCs is magically made secure
Well as you said, you have to look at what happens in the real world. I would
argue PKCs make things obscure, which buys you a fair amount of security until
some undetermined point in time
Hi Peter,
Replying on the thinking process, not on the fundamentals at this time
(we seem to agree on the characteristics of PKC vs else).
Peter Gutmann wrote:
Thierry Moreau thierry.mor...@connotech.com writes:
Unless automated SSH sessions are needed (which is a different problem
space),
Thanks for that, that is all that is needed to get the idea. (I was
hoping for some objective standard rather than a current-technology
taxonomy.)
iang
On 2/06/12 23:15 PM, Joe St Sauver wrote:
ianG asked:
#Would it be possible to describe in general words what LOA-1 thru 4 entails?
I
ianG asked:
#Would it be possible to describe in general words what LOA-1 thru 4 entails?
I hesitate to try to do so. The definitive answer can be found in
http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf
and includes many subtle and important points, but just to focus
good post.
I often think in terms of low-med-high security, where low is equivalent
to mailing lists (spam threat), medium is online banking through web
browsers, and high is payment systems using direct cash (digicash,
bitcoin, e-gold, etc because they are instantly redeemable by thieves,
* Eugen Leitl:
Unrelated, IIRC Microsoft changed the architecture of supernodes to allow
for lawful interception with Skype.
Skype supports transparent call forwarding, so lawful intercept is
possible as well. It's just a question of how much about the
interception activity leaks to the
On 30 May 2012 05:01, ianG i...@iang.org wrote:
On 29/05/12 11:03 AM, Peter Maxwell wrote:
On 29 May 2012 01:35, Peter Gutmann pgut...@cs.auckland.ac.nz
mailto:pgut...@cs.auckland.ac.nz wrote:
Peter Maxwell pe...@allicient.co.uk mailto:pe...@allicient.co.uk
writes:
Why on
Peter Gutmann wrote:
Werner Koch w...@gnupg.org writes:
Which is not a surprise given that many SSH users believe that ssh
automagically make their root account save and continue to use their lame
passwords instead of using PK based authentication.
That has its own problems with magical
Peter Maxwell pe...@allicient.co.uk writes:
Why on earth would you need to spread your private-key across any number of
less secure machines?
The technical details are long and tedious (a pile of machines that need to
talk via SSH because telnet and FTP were turned off/firewalled years ago, I
On May 26, 2012, at 8:15 34AM, Eugen Leitl wrote:
On Fri, May 25, 2012 at 11:19:33AM -0700, Jon Callas wrote:
My money would be on a combination of traffic analysis and targeted
malware. We know that the Germans have been pioneering using targeted malware
against Skype. Once you've done
On 29 May 2012 01:35, Peter Gutmann pgut...@cs.auckland.ac.nz wrote:
Peter Maxwell pe...@allicient.co.uk writes:
Why on earth would you need to spread your private-key across any number
of
less secure machines?
The technical details are long and tedious (a pile of machines that need to
But this sounds to me like a very general answer which was probably
prepared ahead of time to reveal the minimal amount of information. For
this reason I don't think it should be interpreted as referring to SSH
or PGP specifically. But the phrase depending on the type and quality
of the
Marsh Ray ma...@extendedsubset.com writes:
Perhaps someone who knows German can better interpret it.
The government was asked are encrypted communications creating any
difficulties for law enforcement in terms of pursuing criminals and
terrorists?. The government replied no, not really, so
On Fri, May 25, 2012 at 11:19:33AM -0700, Jon Callas wrote:
My money would be on a combination of traffic analysis and targeted
malware. We know that the Germans have been pioneering using targeted malware
against Skype. Once you've done that, you can pick apart anything else. Just
a simple
On 26 May 2012 06:57, Peter Gutmann pgut...@cs.auckland.ac.nz wrote:
Werner Koch w...@gnupg.org writes:
Which is not a surprise given that many SSH users believe that ssh
automagically make their root account save and continue to use their lame
passwords instead of using PK based
On 05/26/2012 08:01 AM, Peter Gutmann wrote:
Marsh Ray ma...@extendedsubset.com writes:
Perhaps someone who knows German can better interpret it.
The government was asked are encrypted communications creating any
difficulties for law enforcement in terms of pursuing criminals and
Here's Google Translate link to the article (I can't read German). My money is
on a protocol or implementation flaw, or possibly just hacks to the end system.
On 05/25/2012 09:50 AM, Steven Bellovin wrote:
Here's Google Translate link to the article (I can't read German).
My money is on a protocol or implementation flaw, or possibly just
hacks to the end system.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
My money would be on a combination of traffic analysis and targeted malware. We
know that the Germans have been pioneering using targeted malware against
Skype. Once you've done that, you can pick apart anything else. Just a simple
matter of
On 05/25/2012 08:19 PM, Jon Callas wrote:
My money would be on a combination of traffic analysis and targeted malware.
We know that the Germans have been pioneering using targeted malware against
Skype. Once you've done that, you can pick apart anything else. Just a simple
matter of coding.
Werner Koch w...@gnupg.org writes:
Which is not a surprise given that many SSH users believe that ssh
automagically make their root account save and continue to use their lame
passwords instead of using PK based authentication.
That has its own problems with magical thinking: Provided you use PK
24 matches
Mail list logo