On Sep 21, 2011, at 10:11 PM, M.R. wrote:
>> Please look into how code signing on Android works and what it means.
> A quick summary would be appreciated, especially on the "meaning" part.
Google: [ android code signing ]
http://www.isecpartners.com/files/iSEC_Securing_Android_Apps.pdf
"""Andr
On 21/09/11 06:59, Chris Palmer wrote:
Please look into how code signing on Android works and what it means.
A quick summary would be appreciated, especially on the "meaning" part.
M.R.
___
cryptography mailing list
cryptography@randombit.net
http://l
On 2011-09-22 5:08 AM, ianG wrote:
All email client vendors had to do to give smime a chance in life was to
make it easy to generate and use a cert. Automatically. Add an account,
generate a cert. The rest can follow in due course...
Dunno why, but the architecture seems to be an exercise in won
On 2011-09-22 2:30 AM, Arshad Noor wrote:
In the first place, as you know, browsers have a trust-store of unique
self-signed TTP CA certificates; not cross-certified certificates. All
SSL/TLS connections between browsers and a site with an SSL certificate
issued by one of those TTP CA's, involves
On 2011-09-22 8:20 AM, Joe St Sauver wrote:
Understood that would be the "zipless" ideal, but how would the binding
of the private/public keypair to the email address occur then, eh?
Email client generates private/public keypair. Sends public key to CA
server. CA server certifies that the ow
Chris Palmer commented:
#> Well, its obviously not quite that easy yet, but users can currently get
#> a free client cert by visiting a web page and filling out a form, and
#
#IanG's point was that there should be no web page, no form. You know
#how sshd generates a host key when there isn't one y
On Wed, Sep 21, 2011 at 2:27 PM, Joe St Sauver wrote:
> Well, its obviously not quite that easy yet, but users can currently get
> a free client cert by visiting a web page and filling out a form, and
IanG's point was that there should be no web page, no form. You know
how sshd generates a host
#> When smime.p7s files start getting stripped, there goes yet another
#> potentially critical piece of security technology.
#
#All email client vendors had to do to give smime a chance in life was to
#make it easy to generate and use a cert. Automatically. Add an
#account, generate a cert. Th
On 22/09/11 00:56 AM, Joe St Sauver wrote:
#Anybody want to put forward a conjecture about the response to this pop-up
#across the population of e-mail users?
Naturally, users (or their support staff) will disable OCSP/CRL checking to
make the pop-ups stop happening.
C.f., revocation is b
On Wed, Sep 21, 2011 at 11:30 AM, ianG wrote:
> It's a good term! Add my use: There is a universal implicit
> cross-certification in the secure browsing PKI, and the industry knows it,
> or should know it.
>
> Indeed, we can show evidence of this in Chrome's CA pinning.
I had assumed everyone
Hi all,
On 22/09/11 02:30 AM, Arshad Noor wrote:
On 09/18/2011 11:59 AM, Peter Gutmann wrote:
Arshad Noor writes:
Just because you come across one compromised CA out of 100 in the
browser,
does not imply that the remaining 99 are compromised (which is what
you are
implying with your statem
On Wed, Sep 21, 2011 at 12:30 PM, Arshad Noor
wrote:
> On 09/18/2011 11:59 AM, Peter Gutmann wrote:
>>
>> Arshad Noor writes:
>>
>>> Just because you come across one compromised CA out of 100 in the
>>> browser,
>>> does not imply that the remaining 99 are compromised (which is what you
>>> are
>
On 09/18/2011 11:57 AM, Peter Gutmann wrote:
Arshad Noor writes:
Are there weaknesses in PKI? Undoubtedly! But, there are failures in every
ecosystem. The intelligent response to "certificate manufacturing and
distribution" weaknesses is to improve the quality of the ecosystem - not
throw t
On 09/18/2011 11:59 AM, Peter Gutmann wrote:
Arshad Noor writes:
Just because you come across one compromised CA out of 100 in the browser,
does not imply that the remaining 99 are compromised (which is what you are
implying with your statement).
Since browser PKI uses universal implicit cro
#In viewing an e-mail this morning I received the following pop-up:
#
#"Revocation information for the security certificate for this site is not
#available.
#Do you want to proceed?"
#
#Not just once but for every URL embedded in the e-mail.
#
#Anybody want to put forward a conjecture about the re
In viewing an e-mail this morning I received the following pop-up:
"Revocation information for the security certificate for this site is not
available.
Do you want to proceed?"
Not just once but for every URL embedded in the e-mail.
Anybody want to put forward a conjecture about the response
On Wed, Sep 21, 2011 at 7:59 AM, Chris Palmer wrote:
> Please look into how code signing on Android works and what it means. It's
> not what you think — there are no CAs.
The code signing models in Android and Chrome (for extensions) are a
small island of sanity in a crazy world.
17 matches
Mail list logo
