On 14 April 2016 at 00:16, Jerry Leichter wrote:
>>> Yes, make it significantly smaller than the current form factor.
>>
>> Ah. OK, well, that is certainly doable, though how small you can make it is
>> ultimately limited by the size of the display. How small do you want it,
On 9 May 2016 at 10:01, Luca Testoni wrote:
> On 06/05/2016 18:12, Kevin wrote:
>> I may be way off but it seems to me that a colonel level RNG can only
>> pick up entropy from boot which means hardware noise. Isn't that easy
>> to beat with an acoustic attack? Maybe user
On 27 February 2016 at 07:26, listo factor wrote:
>
> Those that criticize Apple should instead urge Apple's customers
> to use adequate keys. That however flies in the face of prevailing
> doctrine that security of digital systems must require absolute
> minimum of user
On 22 April 2015 at 17:24, John Young j...@pipeline.com wrote:
Futility of trying to eliminate every single vulnerability in a given piece
of software.
The name of the game is to protect the secrets despite bugs. And I
don't mean with cryptography.
On 18 April 2015 at 00:51, Tony Arcieri basc...@gmail.com wrote:
On Fri, Apr 17, 2015 at 11:56 AM, Ron Garret r...@flownet.com wrote:
The fact that to use PGP you have to install an application. (This is
true for Peerio as well.) That turns out to be too much friction for most
people.
On 15 December 2014 at 19:18, ianG i...@iang.org wrote:
https://www.kickstarter.com/projects/moonbaseotago/onerng-an-open-source-entropy-generator
About this project
After Edward Snowden's recent revelations about how compromised our internet
security has become some people have worried
On 1 May 2014 08:19, James A. Donald jam...@echeque.com wrote:
On 2014-04-30 02:14, Jeffrey Goldberg wrote:
On 2014-04-28, at 5:00 PM, James A. Donald jam...@echeque.com wrote:
Cannot outsource trust Ann usually knows more about Bob than a distant
authority does.
So should Ann verify the
On 29 April 2014 07:41, Ryan Carboni rya...@gmail.com wrote:
the only logical way to protect against man in the middle attacks would be
perspectives (is that project abandoned?) or some sort of distributed
certificate cache checking.
Or Certificate Transparency. :-)
On 28 April 2014 00:45, Arshad Noor arshad.n...@strongauth.com wrote:
On 04/27/2014 10:33 AM, Ben Laurie wrote:
http://www.links.org/files/SimplySecure.pdf
Ben,
As noble as the goals are of this initiative, the solution is
likely to be accepted only in UK and the USA - only because
On 28 April 2014 01:04, ianG i...@iang.org wrote:
On 27/04/2014 18:33 pm, Ben Laurie wrote:
We are hiring to improve the state of end-to-end crypto:
http://www.links.org/files/SimplySecureProgramDirectorJobPosting.pdf
http://www.links.org/files/SimplySecure.pdf
To paraphrase, work
We are hiring to improve the state of end-to-end crypto:
http://www.links.org/files/SimplySecureProgramDirectorJobPosting.pdf
http://www.links.org/files/SimplySecure.pdf
___
cryptography mailing list
cryptography@randombit.net
On 12 April 2014 19:57, Jeffrey Goldberg jeff...@goldmark.org wrote:
They also had a really nice statement about transparency back in September,
but I can't find it now.
https://www.globalsign.com/blog/trust-the-math-choose-your-friends-wisely.html
On 10 April 2014 01:17, travis+ml-rbcryptogra...@subspacefield.org wrote:
http://threatpost.com/crypto-model-based-on-human-cardiorespiratory-coupling/105284
This is nonsense, right? Unbounded in the sense of relying on secrecy of the
unbounded number of algorithms?
Also not novel. I don't
On 14 November 2013 03:29, shawn wilson ag4ve...@gmail.com wrote:
This is the only thing I've seen (haven't really looked):
http://stricture-group.com/files/adobe-top100.txt
I have to ask: snoopy1 more popular than snoopy? wtf?
___
cryptography
On 4 November 2013 09:51, yersinia yersinia.spi...@gmail.com wrote:
Nist recently posted a raccomandation very recently (IN DRAFT)
http://csrc.nist.gov/publications/drafts/800-52-rev1/draft_sp800_52_r1.pdf
If you ignore the bits about FIPS-140 and SP800-90A, its not bad. But
fairly obvious.
It
: [capsicum] capsicum-linux codebase
To: cl-capsicum-disc...@lists.cam.ac.uk
Cc: Ben Laurie b...@google.com
Hi,
As some of you know, I'm working on getting Capsicum working in the Linux
kernel, based on the FreeBSD implementation and on previous work done by
Meredydd Luff in his stint as a Google intern
On 21 October 2013 16:57, Kyle Maxwell ky...@xwell.org wrote:
On Fri, Oct 18, 2013 at 4:18 AM, Ben Laurie b...@links.org wrote:
On 14 October 2013 14:36, Eugen Leitl eu...@leitl.org wrote:
Guys, in order to minimize Tor Project's dependance on
federal funding
Why?
Is that not self
On 14 October 2013 14:36, Eugen Leitl eu...@leitl.org wrote:
Guys, in order to minimize Tor Project's dependance on
federal funding
Why?
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
On 3 October 2013 14:13, Florian Weimer f...@deneb.enyo.de wrote:
On 02/10/13 at 08:51am, Florian Weimer wrote:
There is widespread belief that compressing before encrypting makes
cryptanalysis harder, so compression is assumed to be beneficial.
Any academic references?
Applied
On 30 September 2013 10:47, Adam Back a...@cypherspace.org wrote:
I think lack of soft-hosting support in TLS was a mistake - its another
reason not to turn on SSL (IPv4 addresses are scarce and can only host one
SSL domain per IP#, that means it costs more, or a small hosting company
can
On 18 September 2013 22:23, Lucky Green shamr...@cypherpunks.to wrote:
According to published reports that I saw, NSA/DoD pays $250M (per
year?) to backdoor cryptographic implementations. I have knowledge of
only one such effort. That effort involved DoD/NSA paying $10M to a
leading
On 24 August 2013 19:55, Krisztián Pintér pinte...@gmail.com wrote:
Can it not? A distributed store for salts seems possible...
but then distributed keyring is also possible, is it not?
Yes. Or at least cloud storage for secrets.
___
cryptography
On 21 August 2013 03:35, Fabio Pietrosanti (naif) li...@infosecurity.chwrote:
Hey Peter,
thanks for your analysis!
I think we need to provide some additional input!
In the context of GlobaLeaks where, stating from our Threat Model at
On 18 August 2013 02:55, James A. Donald jam...@echeque.com wrote:
On 2013-08-18 4:11 PM, Ben Laurie wrote:
If I chose to run Linux, I could fix the version I ran. In fact, I choose
not to run it, so I don't need to.
But if you write software, you don't write it just for your own
On 17 August 2013 06:01, ianG i...@iang.org wrote:
On 17/08/13 10:57 AM, Peter Gutmann wrote:
Nico Williams n...@cryptonector.com writes:
It might be useful to think of what a good API would be.
The problem isn't the API, it's the fact that you've got two mutually
exclusive
On 17 August 2013 08:05, ianG i...@iang.org wrote:
On 17/08/13 14:46 PM, Ben Laurie wrote:
On 17 August 2013 06:01, ianG i...@iang.org mailto:i...@iang.org
wrote:
On 17/08/13 10:57 AM, Peter Gutmann wrote:
Nico Williams n...@cryptonector.com
mailto:n
On 17 August 2013 10:09, Jeffrey Walton noloa...@gmail.com wrote:
On Sat, Aug 17, 2013 at 7:46 AM, Ben Laurie b...@links.org wrote:
...
Also, if there are other sources, why are they not being fed in to the
system PRNG?
Linux 3.x kernels decided to stop using IRQ interrupts (removal
The Certificate Transparency hack day will take place at Google’s London
offices on Wednesday, the 28th of August, 2013.
Please sign up on this
formhttps://docs.google.com/a/google.com/forms/d/1jvO5OdkvRhyTV6XU4Q-YaRKlTSF7rh94LzRFbICHRg8/viewform
by
August 22nd, to let us know you plan to attend.
We've set the date: Weds Aug 28th at Google's London office.
More information to follow soon.
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
On 1 August 2013 22:32, Jeffrey Walton noloa...@gmail.com wrote:
On Thu, Aug 1, 2013 at 5:04 PM, Nico Williams n...@cryptonector.com wrote:
On Thu, Aug 1, 2013 at 12:57 PM, wasa bee wasabe...@gmail.com wrote:
... If everyone does their part CT causes the risk
of dishonest CA behavior
Since there was some puzzlement over CT, I thought it might be of
interest that we have revamped the site:
http://www.certificate-transparency.org/.
Comments and questions welcome.
___
cryptography mailing list
cryptography@randombit.net
On 13 July 2013 10:11, Peter Gutmann pgut...@cs.auckland.ac.nz wrote:
and run
a self-test with known-good test vectors on startup, and ... well, you get the
picture.
Amusing story: FIPS 140 requires self-tests on the PRNG. There was a
bug in FIPS OpenSSL once where the self-test mode got stuck
On 2 July 2013 11:25, Adam Back a...@cypherspace.org wrote:
I think it time to deprecate non-https (and non-forward secret
ciphersuites.) Compute power has moved on, session cacheing works,
symmetric crypto is cheap.
Btw did anyone get a handle on session resumption - does it provide forward
On 2 July 2013 16:07, Adam Back a...@cypherspace.org wrote:
On Tue, Jul 02, 2013 at 11:48:02AM +0100, Ben Laurie wrote:
On 2 July 2013 11:25, Adam Back a...@cypherspace.org wrote:
does it provide forward secrecy (via k' = H(k)?).
Resumed [SSL] sessions do not give forward secrecy. Sessions
On 1 July 2013 01:55, Jacob Appelbaum ja...@appelbaum.net wrote:
So then - what do you suggest to someone who wants to leak a document to
a press agency that has a GlobaLeaks interface?
I would suggest: don't use GlobalLeaks, use anonymous remailers.
Bottom line: Tor is weak against powerful
On 1 July 2013 01:55, Jacob Appelbaum ja...@appelbaum.net wrote:
I would like to see a tor configuration flag that sacrifices speed for
anonymity.
You're the first person, perhaps ever, to make that feature request
without it being in a mocking tone. At least, I think you're not mocking! :)
On 1 July 2013 14:33, Jacob Appelbaum ja...@appelbaum.net wrote:
I think having Mixmaster and MixMinion support in Tails and run over Tor
would be a good way to start. I also agree that GlobaLeaks should have
an interface for receiving leaks via either of those networks - though I
sometimes
On 20 May 2013 17:35, Nico Williams n...@cryptonector.com wrote:
On Fri, May 17, 2013 at 6:06 AM, Ben Laurie b...@links.org wrote:
On 17 May 2013 11:39, d...@geer.org wrote:
Trust but verify is dead.
Maybe for s/w, but not everything:
http://www.links.org/files
On 17 May 2013 11:39, d...@geer.org wrote:
I do wonder, can we reasonably expect that integrity of open
source software today? I'm not blaming anyone, let me explain:
The threat of forking or noticing any wrong doing was probably
enough in previous years. But these days, software is much
On 27 March 2013 17:20, Steven Bellovin s...@cs.columbia.edu wrote:
On Mar 27, 2013, at 3:50 AM, Jeffrey Walton noloa...@gmail.com wrote:
What is the reason for checksumming symmetric keys in ciphers like BATON?
Are symmetric keys distributed with the checksum acting as a
authentication tag?
On 23 March 2013 16:21, danimoth danim...@cryptolab.net wrote:
On 21/03/13 at 03:07am, Jeffrey Walton wrote:
Linux has not warmed up to the fact that userland needs help in
storing secrets from the OS.
http://standards.freedesktop.org/secret-service/
but maybe I have misunderstood your
On 23 March 2013 09:25, ianG i...@iang.org wrote:
Someone on another list asked an interesting question:
Why did OTR succeed in IM systems, where OpenPGP and x.509 did not?
Because Adium built it in?
(The reason this is interesting (to me?) is that there are not so many
instances in
On 23 March 2013 16:51, Peter Saint-Andre stpe...@stpeter.im wrote:
3. It was built into the most popular open-source IM clients (Pidgin
and Adium).
It isn't actually built in to Pidgin. Should be, IMO.
___
cryptography mailing list
On 23 March 2013 18:08, Stephan Neuhaus stephan.neuh...@tik.ee.ethz.ch wrote:
On Mar 23, 2013, at 15:04, Adam Back wrote:
I think its past time people considered switching to another IM client, an
open source one with p2p routed traffic and/or end 2 end security,
preferably with some
On 10 March 2013 01:25, Tony Arcieri tony.arci...@gmail.com wrote:
On Sat, Mar 9, 2013 at 4:16 PM, Jeffrey Walton noloa...@gmail.com wrote:
The Web Cryptography Working Group looks well organized, provides a
very good roadmap, and offers good documentation.
http://www.w3.org/2012/webcrypto/.
On 10 March 2013 01:57, Ryan Sleevi ryan+cryptogra...@sleevi.com wrote:
Finally, the recommendations are for what implementations should support.
There is not any mandatory to implement suite at this point. Instead, it's
looking at what are the algorithms in vast, sweeping use today in a number
On 10 March 2013 10:58, Paterson, Kenny kenny.pater...@rhul.ac.uk wrote:
On 10 Mar 2013, at 10:51, Ben Laurie wrote:
On 10 March 2013 01:25, Tony Arcieri tony.arci...@gmail.com wrote:
On Sat, Mar 9, 2013 at 4:16 PM, Jeffrey Walton noloa...@gmail.com wrote:
The Web Cryptography Working
On 5 March 2013 18:41, StealthMonger stealthmon...@nym.mixmin.net wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Jeffrey Walton noloa...@gmail.com writes:
Its the key distribution problem. Its the cause of all the troubles.
I don't understand. Please explain.
What's wrong with the
On 6 February 2013 23:35, Jeffrey Walton noloa...@gmail.com wrote:
On Wed, Feb 6, 2013 at 7:17 AM, Moti m...@cyberia.org.il wrote:
Interesting read.
Mostly because the people behind this project.
On 28 January 2013 13:37, Paul Christian pho...@gmail.com wrote:
Hi Folks,
I am new to the list and have in interest in encryption, but not much
experiance in breaking/testing or a details understanding of modern methods.
I am interested in developing some technology to allow a user to
On 19 January 2013 07:45, James A. Donald jam...@echeque.com wrote:
On 2013-01-19 2:14 AM, ianG wrote:
Also, the confounded users tend to lose their phones or have them stolen.
And then they demand their 'identities' back, as if nothing has happened.
So the keys need to be agile, in some
On 14 January 2013 06:11, ianG i...@iang.org wrote:
On 13/01/13 22:47 PM, Jeffrey Walton wrote:
On Sun, Jan 13, 2013 at 1:20 PM, Warren Kumari war...@kumari.net wrote:
On Jan 12, 2013, at 4:27 AM, ianG i...@iang.org wrote:
On 11/01/13 02:59 AM, Jon Callas wrote:
-BEGIN PGP SIGNED
On Tue, Jan 8, 2013 at 1:28 AM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote:
Ben Laurie b...@links.org writes:
I've snipped most of this because, although it'd be fun to keep going back and
forth, I'm not sure if everyone else wants to keep reading the exchange (Ben,
we'll continue it over
On Tue, Jan 8, 2013 at 8:40 AM, ianG i...@iang.org wrote:
IMO, the answer to phishing is to solve the password problem, and the
solution to the password problem is really good password managers. But
I haven't had much luck selling that solution. Probably because,
rather like Peter's solution,
On Tue, Jan 8, 2013 at 11:42 AM, James A. Donald jam...@echeque.com wrote:
On 2013-01-08 7:26 PM, Ben Laurie wrote:
Modulo CAs not working correctly, this is what SSL does. So long as
you define the right server as being the one with the domain name
you navigated to.
Domain names
On 8 January 2013 18:06, Jeffrey Walton noloa...@gmail.com wrote:
On Tue, Jan 1, 2013 at 1:02 PM, Ben Laurie b...@links.org wrote:
We're experimenting with moving openssl to git. Again.
We've tried an import using cvs2git - does anyone have any views on
better tools?
You can see the results
On Sun, Jan 6, 2013 at 11:20 PM, Peter Gutmann
pgut...@cs.auckland.ac.nz wrote:
Ben Laurie b...@links.org with:
a) I don't believe your figures,
Well I don't believe in the tooth fairy, but in this case you're going to have
to provide a more convincing rebuttal than I choose not to believe
On Mon, Jan 7, 2013 at 5:32 PM, Guido Witmond gu...@wtmnd.nl wrote:
What I read from the certificate-transparency.org website is that it intends
to limit to Global CA certificates. I would urge mr Laurie and Google to
include all certificates, including self-signed. It would increase the value
On Sun, Jan 6, 2013 at 1:15 PM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote:
Ben Laurie b...@links.org writes:
On Sat, Jan 5, 2013 at 1:26 PM, Peter Gutmann pgut...@cs.auckland.ac.nz
wrote:
In the light of yet another in an apparently neverending string of CA
failures, how long are browser
We're experimenting with moving openssl to git. Again.
We've tried an import using cvs2git - does anyone have any views on
better tools?
You can see the results here (not all branches pushed to github yet,
let me know if there's a particular branch you'd like me to add):
On Wed, Dec 26, 2012 at 9:38 PM, Jon Callas j...@callas.org wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I took a look at it. Amusing. I didn't spend a lot of time on it. Probably
not more than twice what it took me to write this.
It has an obvious problem with known plaintext. You
On Thu, Dec 27, 2012 at 9:18 AM, Russell Leidich pke...@gmail.com wrote:
there are plenty of Googleable papers showing the Counter Mode is weak
relative to (conventional) cipher-block-chaining (CBC) AES.
Really? For example?
___
cryptography mailing
On Mon, Dec 24, 2012 at 12:22 PM, Jeffrey Walton noloa...@gmail.com wrote:
Has anyone had the privilege of looking at the stronger than military
grade [encryption] scheme?
http://innovblogdotcom.files.wordpress.com/2012/06/the-karacell-encryption-system-tech-paper1.pdf
Enjoy.
On Sun, Dec 16, 2012 at 7:52 AM, ianG i...@iang.org wrote:
On 16/12/12 02:41 AM, Ben Laurie wrote:
On Sat, Dec 15, 2012 at 10:01 PM, James A. Donald jam...@echeque.com
wrote:
On 2012-12-16 6:23 AM, Andy Steingruebl wrote:
given some of the more recent attacks against Google
On Sun, Dec 16, 2012 at 8:47 AM, Adam Back a...@cypherspace.org wrote:
(note the tidy email editing, Ben, and other blind top posters to massive
email threads :)
I'm sorry - I use gmail which does, literally, make you blind to them.
I try to remember!
On Sun, Dec 16, 2012 at 9:48 AM, ianG i...@iang.org wrote:
Just to nitpick on this point, a CA certainly can claim that they or an
agent did not sign a certificate. And, they can provide the evidence, and
should have the ability to do this: CAs internally have logs as to what
they did or did
On Mon, Nov 5, 2012 at 5:07 AM, Nico Williams n...@cryptonector.com wrote:
On Sun, Nov 4, 2012 at 8:42 AM, Ben Laurie b...@links.org wrote:
On Sat, Nov 3, 2012 at 12:26 AM, James A. Donald jam...@echeque.com wrote:
On Oct 30, 2012 7:50 AM, Ben Laurie b...@links.org wrote:
The team has ruled
On Sat, Nov 3, 2012 at 12:26 AM, James A. Donald jam...@echeque.com wrote:
On Oct 30, 2012 7:50 AM, Ben Laurie b...@links.org wrote:
The team has ruled out having the master at github.
What is wrong with github?
TBH, I wouldn't mind much, but I think the concern is that its not
under our
On Mon, Oct 29, 2012 at 10:34 PM, Jeffrey Walton noloa...@gmail.com wrote:
On Fri, Oct 26, 2012 at 2:29 PM, John Case c...@sdf.org wrote:
I was recently reading the most dangerous code in the world article at
stanford:
https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html
On Tue, Oct 30, 2012 at 11:09 AM, Jeffrey Walton noloa...@gmail.com wrote:
On Tue, Oct 30, 2012 at 5:03 AM, Ben Laurie b...@links.org wrote:
On Mon, Oct 29, 2012 at 10:34 PM, Jeffrey Walton noloa...@gmail.com wrote:
On Fri, Oct 26, 2012 at 2:29 PM, John Case c...@sdf.org wrote:
[SNIP
On Tue, Oct 30, 2012 at 11:17 AM, Peter Gutmann
pgut...@cs.auckland.ac.nz wrote:
Ben Laurie b...@links.org writes:
Apparently you think the best way to get a secure platform is to apply
pressure through pointless security standards.
I think that's a bit of an extreme comment on FIPS 140
volunteer?
:-) Like most (good) open source projects: sustained contribution.
Matt
On Oct 30, 2012, at 10:12 AM, Ben Laurie b...@links.org wrote:
On Tue, Oct 30, 2012 at 11:58 AM, Jeffrey Walton noloa...@gmail.com wrote:
On Tue, Oct 30, 2012 at 5:03 AM, Ben Laurie b...@links.org wrote
On Tue, Oct 30, 2012 at 2:31 PM, Nico Williams n...@cryptonector.com wrote:
I strongly suggest you move to git ASAP. It's not hard, though some
history can be lost in the move using off-the-shelf conversion tools.
(MIT Kerberos recently moved from SVN to git, and before that, from
CVS to SVN,
.
The team has ruled out having the master at github.
On Tue, Oct 30, 2012 at 3:28 PM, Ben Laurie b...@links.org wrote:
On Tue, Oct 30, 2012 at 2:21 PM, Matthew Green matthewdgr...@gmail.com
wrote:
So:
1. What is the process by which you get OpenSSL contributors to notice a
serious
On Wed, Oct 10, 2012 at 4:34 PM, Joe St Sauver j...@oregon.uoregon.edu wrote:
The nice part about Shib, from a privacy POV, is that you only release/get
the attributes that may be necessary (thereby preserving user privacy).
A rather optimistic view of federated identity...
a) Who determines
On Wed, Oct 10, 2012 at 1:44 PM, Guido Witmond gu...@wtmnd.nl wrote:
Hello Everyone,
I'm proposing to revitalise an old idea. With a twist.
The TL;DR:
1. Ditch password based authentication over the net;
2. Use SSL client certificates instead;
Here comes the twist:
3. Don't use the
On Wed, Oct 10, 2012 at 4:54 PM, Steven Bellovin s...@cs.columbia.edu wrote:
On Oct 10, 2012, at 9:09 AM, Ben Laurie b...@links.org wrote:
On Wed, Oct 10, 2012 at 1:44 PM, Guido Witmond gu...@wtmnd.nl wrote:
Hello Everyone,
I'm proposing to revitalise an old idea. With a twist.
The TL;DR
On Wed, Oct 10, 2012 at 6:34 PM,
travis+ml-rbcryptogra...@subspacefield.org wrote:
I want to find common improper usages of OpenSSL library for SSL/TLS.
Can be reverse-engineered from a how to properly use OpenSSL FAQ,
probably, but would prefer information to the first point rather than
its
on something other than that which she clicked on?
On 2012-08-29 1:13 PM, Ben Laurie wrote:
Caja: http://code.google.com/p/google-caja/.
So Bob's server gets a page from Malloc's server, vanillizes it using Caja,
and serves Carol with Bob's content combined with vanilla Malloc content.
Or does Bob's
On Wed, Aug 29, 2012 at 2:33 AM, James A. Donald jam...@echeque.com wrote:
Suppose your web page incorporates some content from another url, a not
altogether trusted url. Let us call this other url Malloc. You, the owner
of the website and the author of the main part of the web page are Bob,
On Thu, Aug 16, 2012 at 1:30 AM, Patrick Mylund Nielsen
cryptogra...@patrickmylund.com wrote:
One curious note is that NIST recommends PBKDF2 for master key derivation,
and specifically write, The MK [PBKDF2 output] shall not be used for other
purposes. Perhaps the document was meant to
the Cyberoam CA certificate from their
browsers and decline to complete any connection which gives a
certificate warning.
Credit
==
This issue was discovered and analysed by Runa A. Sandvik of the Tor
Project and Ben Laurie.
___
cryptography mailing list
On Wed, Apr 4, 2012 at 8:45 PM, Jeffrey Walton noloa...@gmail.com wrote:
Hi All,
Older iOS devices used a 4 digit PIN code, which was next to no
protection. Newer iOS allow passcodes which consist of a full
(fuller?) alphabet.
Assuming a weak password policy (for example, 4 or 6 characters)
http://www.links.org/?p=1226
Certificate Transparency: Spec and Working Codehttp://www.links.org/?p=1226
Quite a few people have said to me that Certificate Transparency (CT)
sounds like a good idea, but they’d like to see a proper spec.
Well, there’s been one of those for quite a while, you
On Mon, Feb 20, 2012 at 12:42 PM, Solar Designer so...@openwall.com wrote:
On Sun, Feb 19, 2012 at 05:57:37PM +, Ben Laurie wrote:
In any case, I think the design of urandom in Linux is flawed and
should be fixed.
Do you have specific suggestions?
Short of making it block, I can think
On Mon, Feb 20, 2012 at 5:22 PM, Thierry Moreau
thierry.mor...@connotech.com wrote:
Then, basically the freebsd design is initial seeding of a deterministic
PRNG. If a) the PRNG design is cryptographically strong (a qualification
which can be fairly reliable if done with academic scrutiny),
On Sun, Feb 19, 2012 at 5:39 PM, Thierry Moreau
thierry.mor...@connotech.com wrote:
Ben Laurie wrote:
On Fri, Feb 17, 2012 at 8:39 PM, Thierry Moreau
thierry.mor...@connotech.com wrote:
Ben Laurie wrote:
On Fri, Feb 17, 2012 at 7:32 PM, Thierry Moreau
thierry.mor...@connotech.com wrote
On Fri, Feb 17, 2012 at 8:39 PM, Thierry Moreau
thierry.mor...@connotech.com wrote:
Ben Laurie wrote:
On Fri, Feb 17, 2012 at 7:32 PM, Thierry Moreau
thierry.mor...@connotech.com wrote:
Isn't /dev/urandom BY DEFINITION of limited true entropy?
$ ls -l /dev/urandom
lrwxr-xr-x 1 root
On Fri, Feb 17, 2012 at 7:32 PM, Thierry Moreau
thierry.mor...@connotech.com wrote:
Isn't /dev/urandom BY DEFINITION of limited true entropy?
$ ls -l /dev/urandom
lrwxr-xr-x 1 root wheel 6 Nov 20 18:49 /dev/urandom - random
___
cryptography mailing
On Thu, Feb 16, 2012 at 5:05 PM, Jeffrey I. Schiller j...@qyv.net wrote:
What I found most interesting in Nadia's blog entry is this snippet of
(pseudo) code from OpenSSL:
1 prng.seed(seed)
2 p = prng.generate_random_prime()
3 prng.add_randomness(bits)
4 q =
On Wed, Feb 15, 2012 at 4:56 PM, Ben Laurie b...@links.org wrote:
On Wed, Feb 15, 2012 at 4:13 PM, Steven Bellovin s...@cs.columbia.edu wrote:
On Feb 14, 2012, at 10:02 PM, Jon Callas wrote:
On 14 Feb, 2012, at 5:58 PM, Steven Bellovin wrote:
The practical import is unclear, since there's
On Tue, Feb 7, 2012 at 9:56 AM, Marcus Brinkmann
marcus.brinkm...@ruhr-uni-bochum.de wrote:
Hi,
On 02/07/2012 03:52 AM, Steven Bellovin wrote:
http://arstechnica.com/business/guides/2012/02/google-strips-chrome-of-ssl-revocation-checking.ars
While I am no fan of CRLs, I think it's worth
On Tue, Dec 6, 2011 at 10:48 AM, Florian Weimer fwei...@bfk.de wrote:
* Ben Laurie:
Given the recent discussion on Sovereign Keys I thought people might
be interested in a related, but less ambitious, idea Adam Langley and
I have been kicking around:
http://www.links.org/files
On Fri, Dec 2, 2011 at 10:02 AM, Peter Gutmann
pgut...@cs.auckland.ac.nz wrote:
Adam Back a...@cypherspace.org writes:
Start of the thread was that Greg and maybe others claim they've seen a cert
in the wild doing MitM on domains the definitionally do NOT own.
It's not just a claim, I've seen
On Fri, Dec 2, 2011 at 4:14 PM, ianG i...@iang.org wrote:
On 2/12/11 23:00 PM, Peter Gutmann wrote:
I guess if you're running into this sort of thing for the first time then
you'd be out for blood, but if you've been aware of this it going on for
more
than a decade then it's just business as
On Wed, Nov 30, 2011 at 1:18 AM, Marsh Ray ma...@extendedsubset.com wrote:
On 11/27/2011 03:00 PM, Ben Laurie wrote:
Given the recent discussion on Sovereign Keys I thought people might
be interested in a related, but less ambitious, idea Adam Langley
and I have been kicking around:
http
On Wed, Nov 30, 2011 at 5:16 PM, Marsh Ray ma...@extendedsubset.com wrote:
On 11/30/2011 05:24 AM, Ben Laurie wrote:
On Wed, Nov 30, 2011 at 1:18 AM, Marsh Rayma...@extendedsubset.com
wrote:
Perhaps the relevant property is certs issued by a browser-trusted
CA or subordinate regardless
On Thu, Dec 1, 2011 at 5:32 AM, Rose, Greg g...@qualcomm.com wrote:
On 2011 Nov 30, at 17:18 , Lee wrote:
On 11/30/11, Rose, Greg g...@qualcomm.com wrote:
On 2011 Nov 30, at 16:44 , Adam Back wrote:
Are there really any CAs which issue sub-CA for deep packet inspection
aka
doing MitM and
On Mon, Nov 28, 2011 at 10:39 AM, Chris Richardson
ch...@randomnonce.org wrote:
Today, a site operator can opt-out of the CA system by using a
self-signed certificate. When users go to the site they get a warning
that they blindly click-through. This degrades one of the main
benefits of the
On Mon, Nov 28, 2011 at 6:46 PM, Seth David Schoen sch...@eff.org wrote:
Ben Laurie writes:
How will the opt-out mechanism work so that it is not degraded by uses
clicking through a warning?
Don't quite understand the question: if you have opted out you
shouldn't get a warning, surely
1 - 100 of 114 matches
Mail list logo