In anon-ip (a zero-knowledge systems internal project) and cebolla [1]
we provided forward-secrecy (aka backward security) using symmetric
re-keying (key replaced by hash of previous key). (Backward and
forward security as defined by Ross Anderson in [2]).
But we did not try to do forward securit
I dont believe it was intended to be rude, just a tongue in cheek way
of saying that the attack is impractical or inapplicable to openSSL.
You have to have a bit of history perhaps to appreciate Peter's
comments - he's actually the author of many very funny and insightful
comments and articles on
I guess DSA should give 40 bytes +- a bit of boiler plate.
I have some code at http://www.cypherspace.org/openpgp/pgpdsa/ that creates
and verifies somewhat PGP/GPG compatible DSA sigs.
(It uses openssl for the bignum library I use DSA_do_sign & DSA_do_verify).
Adam
On Mon, Nov 08, 2010 at 10:
You know I didnt see any spam on here, so probably there is either
moderation or subscriber only posting - and you get to see the conversation
progress within minutes instead of days/weeks, so I am not complaining
personally.
Its kind of hard to have a conversation with weeks of gap - the only re
So a serious question: is there a software company friendly jurisdiction?
(Where software and algorithm patents do not exist under law?)
If patent trolls can patent all sorts of wheels and abuse the US and other
jurisdictions flawed patent system, maybe one can gain business advantage by
incorpo
.
Adam
On Thu, Nov 18, 2010 at 08:43:44PM -0500, Steven Bellovin wrote:
On Nov 18, 2010, at 5:21 16PM, Adam Back wrote:
So a serious question: is there a software company friendly jurisdiction?
(Where software and algorithm patents do not exist under law?)
It won't help, if you want to
Yep another xor-curosor or actually even worse. Retarded.
A few years back, at Zero-Knowledge Systems (privacy tech company Montreal,
Canada - once home of the "freedom" network and a few cypherpunks etc) the
CEO Austin Hill wanted to patent some "stuff". We were grumbling and saying
"please do
I'm sure one can come up with minor variant schemes. The arguable area is
between patents which are intentionally drawn up to cover as much as
possible and people who bother to read the patents and then try to use some
minor variant that is different. But also its a minefield so the offical
poli
Hi James
I think, a bit of ranting aside, what people dislike is that software
patents are a net lose to the economy, software progress and meritocracy.
The patent mine-field isnt good for the industry nor society as a whole as
it adds economic friction, uncertainty and therefore holds back pro
Well not to fan the flames etc but a patent attorney presumably helped write
up the one click, and a patent examiner agreed that it was patent worthy.
Wiki also has some things to say about why patent standards are falling -
examinse are overworked, quota driven civil servants...
http://en.wik
For the technology, to play with it I have Brands and Chaum credentials
implemented in this library:
http://cypherspace.org/credlib/
It was an experiment in simplifying the APIs so I think its rather simple to
use.
Using credentials as an ecash coin is a simple use-case. For Chaum you
This new crypto list seems to be ok... maybe he wants to just email the list
members who didnt already subscribe to both.
Adam
On Thu, Dec 23, 2010 at 11:15:36AM -0500, Steven Bellovin wrote:
On Dec 23, 2010, at 9:43 38AM, Jack Lloyd wrote:
On Thu, Dec 23, 2010 at 12:02:35AM -0800,
travis+
I think for its flaws, its still significantly useful that a FIPS algorithm
or crypto library certificate certifies that an implementation passes its
test vectors, startup tests etc. It gives some reasonable assurance that
the algorithm is implemented according to the spec, and typically some
tho
You should presume your CPRNG output is public (eg published on the web)
What we are talking about in the real world is C_P_RNGs and the C
cryptographic means its suitable for crypto uses, and pseudo means its a
tool for stretching some adequate supply of real entropy (eg 128-bits,
256-bits or w
Ian Brown and I proposed a simpler, non-interactive, approach for use in
openPGP we called "non-transferable signatures"
http://www.cs.ucl.ac.uk/staff/i.brown/nts.htm
The basic idea is you use an integrity protected (non-malleable) symmetric
encryption option in PGP, and then change the
http://www.net-security.org/secworld.php?id=11122
"RSA has finally admitted publicly that the March breach into its systems
has resulted in the compromise of their SecurID two-factor authentication
tokens."
I guess everyone was suspecting as much reading between the lines of what
was said so far
I was thinking a DoS might be a problem. If you could prevent the p2p
network broadcasting or receiving broadcasts, maybe you could be the only
person able to proceed with minting. If you could keep that up for a while
you could reduce the difficulty and create bitcoins with lower cost. A full
Bitcoin is not a pyramid scheme, and doesnt have to have the collapse and
late joiner losers. If bitcoin does not lose favor - ie the user base grows
and then maintains size of user base in the long term, then no one loses.
I think in the current phase the deflation (currency increasing in value
to saturation, the remaining deflation would be limited by the
underlying population and economic growth. That might be workable rate of
deflation.
Adam
On Mon, Jun 13, 2011 at 11:55:38PM +1000, Ian G wrote:
On 13/06/11 5:54 PM, Adam Back wrote:
Bitcoin is not a pyramid scheme, and doesnt have
See also:
Auditable Anonymous Electronic Cash by Tomas Sander and Amnon Ta-Shma
in crypto 1998.
http://www.math.tau.ac.il/~amnon/Papers/ST.crypto99.pdf
Its basically the idea of using non-interactive zero knowlede proof of
membership in a list of coins as an alternative to blinding.
The intere
On Tue, Jun 14, 2011 at 07:40:10PM +1000, James A. Donald wrote:
It is not a design, but an idea for a design.
There is no efficient zero knowledge proof that has the required
properties.
On 2011-06-14 6:13 PM, Adam Back wrote:
[...]
They use Merkle trees to improve the computation efficiency
Well said StealthMonger, I suspect Nico is in the minority on this list with
that type of view.
I read Nico's later reply also. Short of banning crypto privacy and
security rights stand a better chance of being balanced by more deployment
of crypto. (In terms of warrantless wiretaps etc which s
Trust me the noise level on here is zero compared to usenet news flame
fests, spam, DoS etc. The maintainer is removing spam for one (I think).
Personally I find it kind of annoying when people want to squelch any
interesting discussion about societal implications as that is part of what
is inte
I dont think you can prove you have destroyed a bitcoin, neither your own
bitcoin, nor someone else's. To destroy it you would have to prove you
deleted the coin private key, and you could always have an offline backup.
You could uncreate a coin by creating a chain removing it from existance,
by
Maybe one could introduce a way to destroy coins. eg transfer it to
"/dev/null" by signing a transfer to an obviously non-existant
key-fingerprint like all s or such. But I guess provable coin
destruction is not a mainstream "feature"!
Adam
On Tue, Jul 05, 2011 at 12
I thought I already said this in another message, but perhaps it didnt get
to the list. Apart from the fact that they have some kind of script which
trivially allows you to set the conditions of validity to something
impossible to satisfy eg 0 = 1 that Seth Schoen described; the key in the
signat
You know this is why you should use ssh-keys and disable password
authentication. First thing I do when someone gives me an ssh account.
ssh-keys is the EKE(*) equivalent for ssh. EKE for web login is decades
overdue and if implemented and deployed properly in the browser and server
could prett
I agree - if your bargain basement $15 site CA gets hacked and delisted,
just buy another cert from the next in line for $20 and install it on your
server. Problem solved. Your only cost is replacing your cert between when
the problem is announced and hopefully before the delisting kicks in. I
So I hear CA pinning mentioned a bit as a probable way forward, but I didnt
see anyone define it on this list, so from web search what I can find is
that certificate holder can define the CAs that are allowed to issue certs
for its domain. Maybe a bit analogous to SPF for email. (Anyone have a
d
What about introducing the concept of server signed client certs. A server
could recognize its own server key pair signature on the client cert, even
though the server cert is not a proper CA cert. Then the password request
on the client goes to the browser/os key store. So long as you had CA
p
Anyone have informed opinions on whether ECDSA is patent free?
Any suggestions on EC capable crypto library that implements things without
tripping over any certicom claimed optimizations?
(Someone pointed out to me recently that the redhat shipped openSSL is devoid
of ECC which is kind of a n
I only skimmed the high level but I presume they would be using a merkle
hash-tree and time-stamp server or something like that so it cant revise its
story later and its current state can be audited by anyone against its
advertised information.
Adam
On Sat, Nov 26, 2011 at 11:36:11PM +1100, ianG
cal area.
Adam
On Sun, Nov 27, 2011 at 08:12:00AM +0200, Martin Paljak wrote:
No, they had ecc and I saw no references to hash chains or trees. But that
would be a right/interesting direction.
On Nov 27, 2011 12:42 AM, "Adam Back" wrote:
I only skimmed the high level but I presume the
Its rather common for people with load balancers and lots of servers serving
the same domain to have multiple certs.
Same for certs to change to a new CA before expiry. (Probably switched to a
new CA when adding more servers to the load balanced web server farm).
I installed cert patrol and the
Are there really any CAs which issue sub-CA for "deep packet inspection" aka
doing MitM and issue certs on the fly for everything going through them:
gmail, hotmail, online banking etc.
I saw Ondrej Mikle also mentions this concept in his referenced link from
recent post:
https://mail1.eff.org/p
It does at least say they need a certificate practice statement, and
hardware key generation and storage, AND "All domains must be owned by the
enterprise customer". They can sell the ability to be a sub-CA if they want
to. There standards seem probably as good as your average CA and precludes
M
Well I was aware of RA things where you do your own RA and on the CA side
they limit you to issuing certs belonging to you, if I recall thawte was
selling those. (They pre-vet your ownership of some domains foocorp.com,
foocorpinc.com etc, and then you can issue www.foocorp.com, *.foocorp.com ..
ations of privacy in work places (and obviously public places).
More below:
On Fri, Dec 02, 2011 at 11:02:14PM +1300, Peter Gutmann wrote:
Adam Back writes:
Start of the thread was that Greg and maybe others claim they've seen a cert
in the wild doing MitM on domains the definitionally do N
On Sat, Dec 03, 2011 at 01:00:14AM +1300, Peter Gutmann wrote:
I was asked not to reveal details and I won't,
Of course, I would do the same if so asked. But there are lots of people on
the list who have not obtained information indirectly, with confidentiality
assurances offered, and for them
I wonder what that even means. *.com issued by a sub-CA? that private key
is a massive risk if so! I wonder if a *.com is even valid according to
browsers. Or * that would be funny.
Adam
On Sat, Dec 03, 2011 at 02:24:53AM +1300, Peter Gutmann wrote:
Adam Back writes:
[WAP wildcard certs
I have to say I have my doubts that either Boingo or Sheraton hotels, or
other providers would be doing MitM for advertising/profiling or whatever
reasons to their respective wifi services. Absent certs showing this, its a
significantly controversial claim, and there are many many reasons you can
Someone should re-test that Three 3g data + bluecoat content-filtering
-as-a-service with SSL and give us the cert if the answer is "interesting"
:)
Most of the parental control and site blocking things are trivially
breakable. For example my router can block domains .. but its mechanism is
idi
authorize you or CAs to subverting
the SSL guarantee and other people's security. Even people who have
internal CAs for certification SHOULD NOT be abusing them for MitM.
Adam
On Tue, Dec 06, 2011 at 10:52:43AM +, Florian Weimer wrote:
* Adam Back:
Are there really any CAs which issue sub-C
Did they successfully hack the CA functionality or just a web site housing
network design documents for various dutch government entities? From what
survives google translate of the original dutch it appears to be the latter
no?
And if Kerckhoff's principle was followed what does it matter if so
Hi Arshad
Do the air gapped private PKI root certs (and if applicable their
non-airgapped sub-CA certs they authorize) have the critical name constraint
extension eg ".foocorp.com" meaning it is only valid for creating certs for
*.foocorp.com?
(I am presuming these private PKI certs are sub-CA c
the new cert?
Adam
On Mon, Dec 12, 2011 at 06:21:41PM -0800, Arshad Noor wrote:
On 12/9/2011 12:27 AM, Adam Back wrote:
Do the air gapped private PKI root certs (and if applicable their
non-airgapped sub-CA certs they authorize) have the critical name
constraint
extension eg ".foocor
Stefan Brands credentials [1] have an anti-lending feature where you have to
know all of the private components in order to make a signature with it.
My proposal related to what you said was to put a high value ecash coin as
one of the private components. Now they have a direct financial incenti
As there are no NIST KAT / test vectors for the KDF defined in NIST SP 108,
I wonder if anyone is aware of any open source implementations of them to
use for cross testing?
Adam
___
cryptography mailing list
cryptography@randombit.net
http://lists.rando
On 2 January 2012 03:01, ianG wrote:
>>> When I was a rough raw teenager doing this, I needed around 2 weeks to
>>> pick up 5 letters from someone typing like he was electrified. The other 3
>>> were crunched in 4 hours on a vax780.
>>
>> how many samples? (distinct shoulder surf events)
>
>
> Ab
You know I also noticed mail sending problems when I was in the UK a month
or two ago. I am transit via heathrow right now, and now I have no problem.
This is pay as you go t-mobile. So maybe they saw the PR problem brewing
and stopped whatever they were doing.
One gotcha (though I am sure it
So it happened, per recent discussion on this list, it seems that at least
one CA *has* been issuing sub-CA certs for corporate use in mitm boxes.
http://www.infoworld.com/d/security/trustwave-admits-issuing-man-in-the-middle-digital-certificate-185972
mozilla is threatening to remove the CA fro
Well I am not sure how they can hope to go very far underground. Any and
all users on their internal network could easily detect and anonymously
report the mitm cert for some public web site with out any significant risk
of it being tracked back to them. Game over. So removal of one CA from a
m
My point is this - say you are the CEO of a CA. Do you want to bet your
entire company on no one ever detecting nor reporting the MITM sub-CA that
you issued? I wouldnt do it. All it takes is one savy or curious guy in a
10,000 person company.
Consequently if there are any other CAs that have
Further the fact that the entropy seeding is so bad that some
implementations are generating literally the same p value (but seemingly
different q values) I would think you could view the fact that this can be
detected and efficiently exploited via batch GCD as an indication of an even
bigger probl
, how hard can it be etc. There's a
psychological theory of why this kind of thing happens in general -
the Dunning-Kruger effect. But maybe 1 happened.
Adam
[1] http://en.wikipedia.org/wiki/Dunning–Kruger_effect
On 18 February 2012 07:57, Peter Gutmann wrote:
> Adam Back writes:
&g
t is quite plausible for this case... the effect
would be rather like observed.
Adam
On 18 February 2012 10:40, Adam Back wrote:
> I also was pondering as to how the implementers could have arrived at
> this situation towards evaluating Stephen Farrell's draft idea to have
> a servi
Further the fact that the entropy seeding is so bad that some
implementations are generating literally the same p value (but seemingly
different q values) I would think you could view the fact that this can be
detected and efficiently exploited via batch GCD as an indication of an even
bigger prob
You know PFS while a good idea, and IMNSO all non-PFS ciphersuites should be
deprecated etc, PFS just ensures the communicating parties delete the key
negotiation emphemeral private keys after use.
Which does nothing intrinsic to prevent massive computation powered 1024
discrete log on stored PFS
I presume its implied (too much tongue in cheek stuff for my literal brain
to interpret) but a self-signed CA cert is a serious thing - thats a sub-CA
cert typically. How that came to be signed with a bizarre though legal e
parameter is scary - what library or who wrote the code etc.
Usual reaso
ight is a performance trick for modexp which involves more
multiply operations for higher hamming weight.
Adam
On Fri, Mar 23, 2012 at 03:05:48PM +0100, Adam Back wrote:
I presume its implied (too much tongue in cheek stuff for my literal brain
to interpret) but a self-signed CA cert is a serious thin
As I recall people were calling the PGP ADK feature corporate access to
keys, which the worry was, was only policy + config away from government
access to keys.
I guess the sentiment still stands, and with some justification, people are
still worried about law enforcement access mechanisms for in
Surely one cant think of the limitations (requirement for cooperation from
the OS to test the PIN) as if they are cryptographic limitations...
Apple probably supplies such a service themself to law enforcement as a
private apple approved ready-to-go app.
Adam
On Wed, Apr 04, 2012 at 03:45:09PM
The bit tying in to my comment a few days ago is they note that apple wont
confirm but no doubt does provide a signed private app that takes the
encrypted key material off the device for brute forcing. And an app for
dumping all data off the device if thats also not possible without jail
breaking
Well the length extension is not fully flexible. ie you get SHA1( msg )
which translates into "msg-blocks || " which is then fed to
SHA1-transform, and the IV is some magic values.
So the length extension is if you start with a hash that presumably you dont
know all the msg-blocks.
h1 = SHA1(
I think the separate integrity tag is more general, flexible and more secure
where the flexibility is needed. Tahoe has more complex requirements and
hence needds to make use of a separate integrity tag.
I guess in general it is going to be more general, flexible if there are
separate keys (incl
d up with a compromised design in both dimensions.
Adam
On Thu, Apr 26, 2012 at 11:55:27AM +0200, Adam Back wrote:
I think the separate integrity tag is more general, flexible and more secure
where the flexibility is needed. Tahoe has more complex requirements and
hence needds to make use of a sepa
Strikes me 12TH/sec is not actually very much computation?
http://bitcoinwatch.com/ also gives network hashrate at 12.4 TH/sec.
But a single normally clocked (925Mhz) AMD 7970 based graphics card which
has 2048 cores is claimed to provide 555MH/sec.
https://en.bitcoin.it/wiki/Mining_hardware
o do to catchup with biologial
computers in efficiency and horsepower.
Adam
On Sat, May 12, 2012 at 01:22:44AM +0200, Adam Back wrote:
Strikes me 12TH/sec is not actually very much computation?
http://bitcoinwatch.com/ also gives network hashrate at 12.4 TH/sec.
But a single normally clocked (92
Reminds me of Feb 2003 - "Moderately Hard, Memory-bound Functions" NDSS 03,
Martin Abadi, Mike Burrows, Mark Manasse, and Ted Wobber.
(cached at) http://hashcash.org/papers/memory-bound-ndss.pdf
By microsoft research, but then when exchange and oulook added a
computational cost function, for ha
And make sure there are multiple internet connections to the hidden servers.
Adam
On Thu, Sep 06, 2012 at 03:40:23AM +0100, StealthMonger wrote:
Good argument. Thanks. It makes Natanael's solution, or some variant
of it, all the more appealing. Keep Natanael's servers secret, such
as on sca
(comment to Saso's email forwarded by Eugen):
Well I think it would be fairer to say SHA-3 was initiatied more in the
direction of improving on the state of art in security of hash algorithms
given that SHA1 was demonstrated to have alarming short-falls, and given
that the only remaining FIPS alt
On Thu, Oct 04, 2012 at 11:47:08AM +0200, Jim Klimov wrote:
[decrypting or confirming encrypted or ACLed documents via dedup]
eg say a form letter where the only blanks to fill in are the name (known
suspected) and a figure (<1,000,000 possible values).
What sort of attack do you suggest? That
I'd guess they mean salt is pre-pended to the plaintext and then presume eg
then salt + plaintext encrypted with AES in CBC mode with a zero IV. That
would be approximately equivalent to encrypting with a random IV (presuming
the salt, IV and cipher block are all the same size) because
CBC-Enc(
On Thu, Nov 08, 2012 at 03:22:24PM -0800, Morlock Elloi wrote:
However, if you use asymmetric crypto (say, 1024 or 2048-bit RSA), give
only public key(s) to encrypting flows, and reserve the secret key(s) for
modules that need the actual plaintext access (a rare situation in
practice), then:
Do
On Fri, Nov 09, 2012 at 09:36:41AM -0800, Morlock Elloi wrote:
As long as each encryption of the same plaintext yields the same
ciphertext, indexing works. However, the space is tight - plaintext size
is close to the cipher capacity.
is there an inferred "so we have no space to pad the plainte
(I copied Hans-Joachim Knobloch onto the thread)
Weiner is talking about small secret exponents (small d), no one does that.
They choose smallish prime e, with low hamming weight (for
encryption/signature verification efficiency) like 65537 (10001h) and get a
random d, which will by definition
(note the tidy email editing, Ben, and other blind top posters to massive
email threads :)
See inlne.
On Sun, Dec 16, 2012 at 10:52:37AM +0300, ianG wrote:
[...] we want to prove that a certificate found in an MITM was in the chain
or not.
But (4) we already have that, in a non-cryptographic w
Those are Lim-Lee primes where p=2n+1 where a B-smooth composite (meaning n
= p0*p1*...*pk where each p0 is f size < B bits.
http://www.gnupg.org/documentation/manuals/gcrypt/Prime_002dNumber_002dGenerator-Subsystem-Architecture.html
So if Crypto++ is testing if the q from p=2q+1 is prime, its r
am
On Tue, Dec 18, 2012 at 01:15:05AM +0100, Adam Back wrote:
Those are Lim-Lee primes where p=2n+1 where a B-smooth composite (meaning n
= p0*p1*...*pk where each p0 is f size < B bits.
http://www.gnupg.org/documentation/manuals/gcrypt/Prime_002dNumber_002dGenerator-Subsystem-Architecture.ht
Well one reason people like Lim-Lee primes is its much faster to generate
them. That is because of prime density being lower for strong primes, at
the sizes of p & q for p=2q+1 and you need to screen both p & q for primeness.
With Lim-Lee as you maybe saw in the paper you just generate a few ext
they are laughing
so hard.
Jeff
On Tue, Dec 18, 2012 at 8:29 PM, Adam Back wrote:
Well one reason people like Lim-Lee primes is its much faster to generate
them. That is because of prime density being lower for strong primes, at
the sizes of p & q for p=2q+1 and you need to screen both p &
I think you could say CTR mode is fragile against counter reuse exposing
plaintext pair XORs, but CBC is also somewhat fragile against IV reuse,
forming an ECB code book around the set of same IV messages.
CBC itself has other issues eg using non-repeating (but non-random) IVs, for
example using
IMO it is very bad practice that a number of banks use a domain that does
not match the main domain and brand for the login. I have seen multiple
examples of what James mentioned. For example www.natwest.com it does not
redirect to HTTPS, further when you click on login, it goes to
https://www.n
For http there is a mechanism for cache security as this is an issue that
does come up (you do not want to cache security information or responses
with security information in them, eg cookies or information related to one
user and then have the proxy cache accidentally send that to a different
us
There was a subthread in this huge PKI-is-failing and doesnt solve phishing
thread looking at what might solve phishing (modulo engineering and
deployment issues).
To summarize Ian & Ben mentioned and I add a few:
- client side certificates
- password managers
- browser auth
- TPM to make creden
I had the impression this list and its predecssor moderated (too heavily
IMO) by Perry were primarily about applied crypto. So you get to tolerate a
bit of applied crypto security stuff if you're interested in crypto theory
and vice versa. Seems healthy to me (cross informs both camps).
In term
The RSA private key timing attack is much more likely than on padding
because the cost is so much higher. Bleichenbacher like adaptive attacks
are not so much timing as error code attacks (app is too chatty about
whether padding was well formed afte decryption), so thats a separate issue.
For RS
You know other source control systems, and presumably git also, have an
excludes list which can contain wildcards. It comes prepopulated with eg
*.o - as you probably dont want to check them in.
I think you could classify this as a git bug (or more probably a mistake in
how github are using/conf
I dont think its too bad, its fairly intuitive and related english meaning
also. At zero-knowlege we had a precedent of the same use: we used it as an
intentional pun that we had "zero-knowledge" about our customers, and in
actuality in one of the later versions we actually had a ZKP (to do with
With no criticism to the idea and motivation there are similarities with
having a reply-to of a newsgroup such as alt.anonymous.messages, which is
used as a more secure alternative to reply blocks. To pickup those messages
anonymously you'd ideally need to be able to unobservably download newsgro
Seems to me neither of you read the reference I gave:
I (Adam) wrote:
It is tricky to get forward secrecy for store-and-forard messaging [2],
but perhaps you could incorporate rekeying into your protocol in some
convenient way.
...
[2] http://cypherspace.org/adam/nifs/
Not impossible just not-
Unless you're selling SSL MITM boxes to tyrants & dictators, then of course
its alright ;) Well maybe they'll turn a blind eye if the West is propping
up that particular tyrant until they flip flop.
Anyway wasnt all that US export of crypto code nonsense tidied up a decade
or so ago? PRZ did not
The realism of export restricting open source software is utterly ludicrous.
Any self-declaration click-through someone might implement can be clicked
through by anyone, from anywhere, and I presume someone from an embargoed
country is more worried about their own countries laws than US laws, to
Was there anyone trying to use OpenPGP and/or X.509 in IM?
I mean I know many IM protocols support SSL which itself uses X.509, but
that doesnt really meaningfully encrypt the messages in a privacy sense as
they flow in the plaintext through chat server with that model.
btw is anyone noticing th
Ian wrote:
Are we saying then that the threat on the servers has proven so small
that in practice nobody's bothered to push a persistent key
mechanism? Or have I got this wrong, and the clients are doing p2p
exchange of their ephemeral keys, thus dispersing the risk?
Its been a while since I
Yeah but that is basically zero traffic, and I suspect in large part because
its a silly domain that people who dislike inviting their addition to a
watch-list will avoid.
Maybe someone with a more neutral domain could try it - or a cypherpunks.*
domain if they have a listserv handy.
Adam
On Mo
On Mon, Mar 25, 2013 at 05:13:57PM +0100, Moritz wrote:
On 25.03.2013 09:25, Adam Back wrote:
because its a silly domain that people who dislike inviting their
addition to a watch-list will avoid.
Isn't exactly that a nice property of a "cypherpunks" list?
No it is not,
oint.
But my point actually was b...@al-qaeda.net??? Come on that is watch list
bait and an invitation NOT to join list blah, whatever it is about.
Adam
On Mon, Mar 25, 2013 at 06:18:14PM +0100, Eugen Leitl wrote:
On Mon, Mar 25, 2013 at 05:50:18PM +0100, Adam Back wrote:
Isn't exac
I dont buy this "it wouldnt be cool so a consumer company wouldnt do it"
argument. Seemingly companies are very susceptible to law enforcement,
legal and government influence and pressure. I guess people are forgetting
the hushmail episode. And the CA episodes. And much more recent microsoft
s
Also without having read the article, but did read the blog post by one of
the authors as Ian G said zerocoin appears to provide payment privacy, and
public auditability while retaining distributed setting.
However payment publicly auditable payment privacy comes from ZKP of non-set
membership (f
1 - 100 of 156 matches
Mail list logo
