On 12/9/11 6:16 , Peter Gutmann wrote:
> Arshad Noor writes:
>
>> Every private PKI we have setup since 1999 (more than a dozen, of which a
>> few
>> were for the largest companies in the world) has had the Root CA on a
>> non-networked machine with commensurate controls to protect the CA.
>
writes:
>One would assume that the effort to get such a signing certificate would
>persuade the bad team to use that cert for targeted attacks, not broadcast
>ones, in which case you would be damned lucky to find it in a place where you
>could then encapsulate it in a signature-based protection
Peter Gutmann writes:
-+---
| This means that once a particular signed binary has been detected
| as being malware the virus scanner can extract the signing
| certificate and know that anything else that contains that
| particular certificate will also be malware, with the cert
Arshad Noor writes:
>Every private PKI we have setup since 1999 (more than a dozen, of which a few
>were for the largest companies in the world) has had the Root CA on a
>non-networked machine with commensurate controls to protect the CA.
What about TSAs, where you need a key with an irrevocab
Ralph Holz writes:
>As I said, at this rate we shall have statistically meaningful large
>numbers of CA hacks by 2013:
KPN is claiming there's nothing to worry about, please move along:
http://translate.google.com/translate?hl=en&sl=auto&tl=en&u=http%3A%2F%2Fforum.kpn.com%2Ft5%2FNews-stream%2FU
From: "jd.cypherpunks"
>David Ulevitch is rolling out OpenDNS http://david.ulevitch.com/
What do you think?
He's been running https://www.opendns.com/ for quite some time.
I read somewhere that the project is making $200K a month by selling the
redirects, but a) That seems grossly inflated, an
"mhey...@gmail.com" writes:
>In a CRL that contains an element that revokes the CRL signing certificate,
>only that element can be assumed to be correct. All other list elements are
>suspect.
Uhh, read my original text again. This is your personal opinion. Ask a bunch
of PKI people, or look
On 12/08/2011 01:09 PM, jd.cypherpunks wrote:
David Ulevitch is rolling out OpenDNS http://david.ulevitch.com/
What do you think?
I assume you're talking about their new DNSCrypt application.
They seem to be saying it's an implementation of DJB's DNSCurve protocol.
https://twitter.com/#!/david
On Wed, Dec 7, 2011 at 4:32 PM, Peter Gutmann wrote:
>
> In the presence of such a [self-revoking] revocation [of a root certificate]
> applications can react in one of three ways: they can accept the CRL
> that revokes the certificate as valid and revoke it, they can reject the
> CRL as invalid
David Ulevitch is rolling out OpenDNS http://david.ulevitch.com/
What do you think?
--Michael
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
I am aware of at least one public CA - still in business - that
fits this description.
Every private PKI we have setup since 1999 (more than a dozen, of
which a few were for the largest companies in the world) has had
the Root CA on a non-networked machine with commensurate controls
to protect th
Hi,
> Did they successfully hack the CA functionality or just a web site housing
> network design documents for various dutch government entities? From what
> survives google translate of the original dutch it appears to be the latter
> no?
Too early for a definite call. But there is also this r
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/08/2011 09:54 AM, Eugen Leitl wrote:
> Is anyone aware of a CA that actually maintains its signing secrets
> on secured, airgapped machines, with transfers batched and done
> purely by sneakernet?
Only for one company that went out of business
2011/12/7 Marsh Ray :
>
> On 12/07/2011 07:01 PM, lodewijk andré de la porte wrote:
>>
>> I figured it'd be effective to create a "security awareness group"
>> figuring the most prominent (and only effective) way to show people
>> security is a priority is by placing a simple marking, something lik
On Thu, Dec 8, 2011 at 9:26 AM, Darren J Moffat
wrote:
> On 12/08/11 03:27, Nico Williams wrote:
>> You misunderstand. The Android code signing model isn't intended to
>> protect you from installing malware: it's intended to help Android a)
>> provide isolation between apps from different sources
On 12/08/2011 09:16 AM, Darren J Moffat wrote:
On 12/07/11 14:42, William Whyte wrote:
Well, I think the theoretically correct answer is that you *should*...
these days all the installers can be available online, after all.
Except when the installer CD you need is the one for the network drive
On 12/07/11 14:42, William Whyte wrote:
Well, I think the theoretically correct answer is that you *should*...
these days all the installers can be available online, after all.
Except when the installer CD you need is the one for the network driver
on the new machine without which you can't ge
Is anyone aware of a CA that actually maintains its signing
secrets on secured, airgapped machines, with transfers batched and
done purely by sneakernet?
--
Eugen* Leitl http://leitl.org";>leitl http://leitl.org
__
ICBM: 48.07100, 11.36
On 9/12/11 01:46 AM, Adam Back wrote:
I'd hestitate calling that a "CA hacked" even if the web site was a
web site
belonging to someone who operates a CA.
My question is whether the website / database had subscriber information
on it. That's a CA hack, albeit more a privacy hack than a
cryp
Did they successfully hack the CA functionality or just a web site housing
network design documents for various dutch government entities? From what
survives google translate of the original dutch it appears to be the latter
no?
And if Kerckhoff's principle was followed what does it matter if so
As I said, at this rate we shall have statistically meaningful large
numbers of CA hacks by 2013:
http://translate.google.com/translate?sl=auto&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&u=http%3A%2F%2Fwebwereld.nl%2Fnieuws%2F108815%2Fweer-certificatenleverancier-overheid-gehackt.html&act=u
On 8/12/11 12:01 PM, lodewijk andré de la porte wrote:
I figured it'd be effective to create a "security awareness group"
figuring the most prominent (and only effective) way to show people
security is a priority is by placing a simple marking, something like
"this site isn't safe!" and contact
22 matches
Mail list logo
