Re: [cryptography] Math corrections [was: Let's go back to the beginning on this]

2011-09-18 Thread Ian G
On 18/09/11 2:59 PM, Arshad Noor wrote: On 09/17/2011 09:14 PM, Chris Palmer wrote: Thus, having more signers or longer certificate chains does not reduce the probability of failure; it gives attackers more chances to score a hit with (our agreed-upon hypothetical) 0.01 probability. After just

Re: [cryptography] Math corrections [was: Let's go back to the beginning on this]

2011-09-18 Thread Ian G
On 18/09/11 1:54 PM, Arshad Noor wrote: When one connects to a web-site, one does not trust all 500 CA's in one's browser simultaneously; one only trusts the CA's in that specific cert-chain. The probability of any specific CA from your trust-store being compromised does not change just because

Re: [cryptography] The Government and Trusted Third Party

2011-09-18 Thread Ian G
On 18/09/11 7:55 PM, M.R. wrote: On 18/09/11 09:12, Jeffrey Walton wrote: If you can secure the system from the government... I can't possibly be the only one here that takes the following to be axiomatic: +++ A communication security system, which depends on a corporate entity playing a

Re: [cryptography] Math corrections

2011-09-18 Thread Ian G
On 19/09/11 3:50 AM, Arshad Noor wrote: On 09/17/2011 10:37 PM, Marsh Ray wrote: It really is the fact that there are hundreds of links in the chain and that the failure of any single weak link results in the failure of the system as a whole. I'm afraid we will remain in disagreement on

Re: [cryptography] The Government and Trusted Third Party

2011-09-18 Thread Ian G
On 19/09/11 6:53 AM, James A. Donald wrote: On 2011-09-18 7:55 PM, M.R. wrote: It follows then that we are not looking at replacing the SSL system with something better, but at keeping the current SSL - perhaps with some incremental improvements - for the retail transactions, These days, most

Re: [cryptography] Math corrections

2011-09-18 Thread Ian G
On 19/09/11 7:11 AM, Marsh Ray wrote: Now that the cat's out of the bag about PKI in general and there's an Iranian guy issuing to himself certs for www.*.gov seemingly at will, Hmmm... did he do that? That would seem to get the message across to the PKI proponents far better than logic or

Re: [cryptography] Math corrections

2011-09-18 Thread Ian G
Hi Joe, On 19/09/11 5:30 AM, Joe St Sauver wrote: Ian asked: #Right -- how to fix the race to the bottom? Wasn't that supposed to be part of the Extended Validation solution? In a way, it was. More particularly it was the fix to certificate manufacturing. The obvious fix to low quality

Re: [cryptography] The Government and Trusted Third Party

2011-09-18 Thread Ian G
Hi James, On 19/09/11 1:39 PM, James A. Donald wrote: On 19/09/11 6:53 AM, James A. Donald wrote: These days, most retail transactions have a sign in. Sign ins are phisher food. SSL fails to protect sign ins. On 2011-09-19 1:12 PM, Ian G wrote: Hence, frequent suggestions to uptick

Re: [cryptography] Let's go back to the beginning on this

2011-09-16 Thread Ian G
On 17/09/11 2:33 AM, Ben Laurie wrote: A sufficiently low upper bound is convincing enough :-) This is all the example seeks to show: There is a low upper bound. We really don't care whether it is 1% or 30%, or +/- 2% or finger in the air... as long as it is too low to be credible. We

Re: [cryptography] The consequences of DigiNotar's failure

2011-09-16 Thread Ian G
On 17/09/11 3:07 AM, M.R. wrote: On 16/09/11 09:16, Jeffrey Walton wrote: The problem is that people will probably die due Digitar's failure. I am not the one to defend DigiNotar, but I would not make such dramatic assumption. No one actively working against a government that is known to

Re: [cryptography] Let's go back to the beginning on this

2011-09-15 Thread Ian G
On 15/09/2011, at 15:40, Kevin W. Wall kevin.w.w...@gmail.com wrote: Trust is not binary. Right. Or, in modelling terms, trust isn't absolute. AES might be 99.99% reliable, which is approximately 100% for any million or so events [1]. Trust in a CA might be more like 99%. Now, if we

Re: [cryptography] Let's go back to the beginning on this

2011-09-15 Thread Ian G
On 16/09/2011, at 1:22, Andy Steingruebl a...@steingruebl.com wrote: On Wed, Sep 14, 2011 at 7:34 PM, Arshad Noor arshad.n...@strongauth.com wrote: However, an RP must assess this risk before trusting a self-signed Root CA's certificate. If you believe there is uncertainty, then don't

Re: [cryptography] Let's go back to the beginning on this

2011-09-13 Thread Ian G
On 13/09/2011, at 23:57, Jeffrey Walton noloa...@gmail.com wrote: On Mon, Sep 12, 2011 at 5:48 PM, James A. Donald jam...@echeque.com wrote: -- On 2011-09-11 4:09 PM, Jon Callas wrote: The bottom line is that there are places that continuity works well -- phone calls are actually a good

Re: [cryptography] After the dust settles -- what happens next? (v. Long)

2011-09-12 Thread Ian G
The problem with shifts of faith is that if there is really a groundswell against, we're as likely to miss it. People who leave generally do exactly that, and don't bother talking about it. That said .. Some of us observe a third, more likely approach: nothing significant happens due to

Re: [cryptography] PKI - and the threat model is ...?

2011-09-12 Thread Ian G
On 13/09/2011, at 0:15, M.R. makro...@gmail.com wrote: In these long and extensive discussions about fixing PKI there seems to be a fair degree of agreement that one of the reasons for the current difficulties is the fact that there was no precisely defined threat model, documented and

Re: [cryptography] PKI - and the threat model is ...?

2011-09-12 Thread Ian G
On 13/09/2011, at 5:12, Marsh Ray ma...@extendedsubset.com wrote: It never was, and yet, it is asked to do that routinely today. This is where threat modeling falls flat. The more generally useful a communications facility that you develop, the less knowledge and control the engineer

Re: [cryptography] Diginotar Lessons Learned (long)

2011-09-11 Thread Ian G
On 11/09/2011, at 10:02, James A. Donald jam...@echeque.com wrote: On 2011-09-11 9:10 AM, Andy Steingruebl wrote: 1. Phishing isn't the only problem right? Malware + breaches might be the other 2 biggies. Note that the malware/pc takeover market was probably financed by profits from

[cryptography] After the dust settles -- what happens next? (v. Long)

2011-09-11 Thread Ian G
Lucky Peter said: Moreover, I noticed that some posts list one or more desirable properties and requirements together with a proposed solution. That's the nice thing about PKI, there's more than enough fail to go around. So, what happens now? As we all observe, there are two approaches

Re: [cryptography] PKI fixes that don't fix PKI (part III)

2011-09-10 Thread Ian G
Arrgghh apologies. I fell asleep over my iPhone and my finger slid over the Send button. On 10/09/2011, at 8:46, Ian G i...@iang.org wrote: On 09/09/2011, at 9:11, Lucky Green shamr...@cypherpunks.to wrote: o What do I mean by the SSL system? I've taken to using TLS

Re: [cryptography] PKI fixes that don't fix PKI (part III)

2011-09-10 Thread Ian G
Hi Steve, On 11/09/2011, at 1:07, Steven Bellovin s...@cs.columbia.edu wrote: Sorry, that doesn't work. Afaik, there is practically zero evidence of Internet interception of credit cards. This makes no sense whatsoever. (the point here is that the original statement said we had limited

Re: [cryptography] GlobalSign temporarily ceases issuance of all certificates

2011-09-08 Thread Ian G
On 08/09/2011, at 11:31, Lucky Green shamr...@cypherpunks.to wrote: The SSL/public CA model did an admirable job in that regard and Taher ElGamal and Paul Kocher deserve full credit for this accomplishment. As long as we can document that original model, I'm inclined to agree. SSL's

Re: [cryptography] PKI fixes that don't fix PKI (part II)

2011-09-08 Thread Ian G
Hi, Lucky, good to see some perspective! On 08/09/2011, at 8:52, Lucky Green shamr...@cypherpunks.to wrote: o Changes to OCSP . The problem was that the top three CA vendors at the time, RSA Security, VeriSign, and Netscape didn't have a comprehensive database of certificates issued by

Re: [cryptography] Diginotar Lessons Learned (long)

2011-09-07 Thread Ian G
On 7/09/11 7:34 AM, Fredrik Henbjork wrote: Here's another gem related to the subject. In 2003 CAcert wished to have their root certificate added to Mozilla's browser, and in the resulting discussion in Bugzilla, Mozilla cryptodeveloper Nelson Bolyard had the following to say: I have no

Re: [cryptography] GlobalSign temporarily ceases issuance of all certificates

2011-09-07 Thread Ian G
On 8/09/11 5:34 AM, Fredrik Henbjork wrote: http://www.globalsign.com/company/press/090611-security-response.html This whole mess just gets better and better... As a responsible CA, we have decided to temporarily cease issuance of all Certificates until the investigation is complete.

Re: [cryptography] GlobalSign temporarily ceases issuance of all certificates

2011-09-07 Thread Ian G
On 8/09/11 6:02 AM, I wrote: H I'm not sure I'd suspend issuance without some evidence. On 8/09/11 6:13 AM, Franck Leroy wrote, coz he checked the source!: http://pastebin.com/GkKUhu35 extract: Third: You only heards Comodo (successfully issued 9 certs for me - thanks by the

Re: [cryptography] [SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail

2011-09-05 Thread Ian G
On 5/09/11 7:23 PM, Gervase Markham wrote: The thing which makes the entire system as weak as its weakest link is the lack of CA pinning. Just a question of understanding: how is the CA pinning information delivered to the browser? (For those who don't know, I also had to look it up too

Re: [cryptography] Smart card with external pinpad

2011-08-20 Thread Ian G
On 21/08/11 6:21 AM, Simon Josefsson wrote: Thierry Moreau writes: If there were devices meeting the stated goal (commercially available with a reasonable cost structure), they would be a very useful security solution element for high security contexts. The user guidance would be: never enter

Re: [cryptography] bitcoin scalability to high transaction rates

2011-07-20 Thread Ian G
On 20/07/11 9:08 PM, Eugen Leitl wrote: On Wed, Jul 20, 2011 at 11:56:06AM +0200, Alfonso De Gregorio wrote: I'd better rephrase it in: expectation to have money backed by bitcoins exhibiting all the desirable properties of a perfect currency (ie, stable money) are greatly exaggerated. The

Re: [cryptography] OTR and deniability

2011-07-18 Thread Ian G
Back in the 1980s, a little thing called public key cryptography gave birth to a metaphor called the digital signature which some smart cryptographers thought to be a technological analogue of the human manuscript act of signing. It wasn't, but this didn't stop the world spending vast sums to

Re: [cryptography] OTR and deniability

2011-07-14 Thread Ian G
On 14/07/11 12:37 PM, Ai Weiwei wrote: Hello list, Recently, Wired published material on their website which are claimed to be logs of instant message conversations between Bradley Manning and Adrian Lamo in that infamous case. [1] I have only casually skimmed them, but did notice the

Re: [cryptography] preventing protocol failings

2011-07-13 Thread Ian G
On 13/07/11 9:25 AM, Marsh Ray wrote: On 07/12/2011 04:24 PM, Zooko O'Whielacronx wrote: On Tue, Jul 12, 2011 at 11:10 AM, Hill, Bradbh...@paypal-inc.com wrote: I have found that when H3 meets deployment and use, the reality too often becomes: Something's gotta give. We haven't yet found a

Re: [cryptography] preventing protocol failings

2011-07-13 Thread Ian G
On 13/07/11 3:10 AM, Hill, Brad wrote: Re: H3, There is one mode and it is secure I have found that when H3 meets deployment and use, the reality too often becomes: Something's gotta give. We haven't yet found a way to hide enough of the complexity of security to make it free, and this

Re: [cryptography] ssh-keys only and EKE for web too (Re: preventing protocol failings)

2011-07-13 Thread Ian G
On 13/07/11 9:27 PM, Ralph Holz wrote: Hi, You know this is why you should use ssh-keys and disable password authentication. First thing I do when someone gives me an ssh account. Using keys to authenticate is what I usally do, too. But even if a user decides not to use plain password auth,

Re: [cryptography] ssh-keys only and EKE for web too (Re: preventing protocol failings)

2011-07-13 Thread Ian G
On 14/07/11 4:33 AM, Jeffrey Walton wrote: On Wed, Jul 13, 2011 at 2:17 PM, James A. Donaldjam...@echeque.com wrote: On 2011-07-13 9:10 PM, Peter Gutmann wrote: As for Microsoft, Microsoft have a big interest in bypassing the status quo, and they've tried several times. But each time it

Re: [cryptography] preventing protocol failings

2011-07-12 Thread Ian G
On 13/07/11 8:36 AM, Andy Steingruebl wrote: On Tue, Jul 12, 2011 at 2:24 PM, Zooko O'Whielacronxzo...@zooko.com wrote: When systems come with good usability properties in the key management (SSH, and I modestly suggest ZRTP and Tahoe-LAFS) then we don't see this pattern. People are willing

Re: [cryptography] Bitcoin observation

2011-07-05 Thread Ian G
On 5/07/11 4:44 PM, Jon Callas wrote: Did you know that if a Bitcoin is destroyed, then the value of all the other Bitcoins goes up slightly? That's incredible. It's amazing and leads to some emergent properties. This assumes fixed value. As there is no definition of the value in BitCoin,

Re: [cryptography] preventing protocol failings

2011-07-05 Thread Ian G
On 5/07/11 3:59 PM, Jon Callas wrote: There are plenty of people who agree with you that options are bad. I'm not one of them. Yeah, yeah, sure, it's always easy to make too many options. But just because you can have too many options that doesn't mean that zero is the right answer. That's

Re: [cryptography] Oddity in common bcrypt implementation

2011-06-29 Thread Ian G
On 28/06/11 1:01 PM, Paul Hoffman wrote: And this discussion of ASCII and internationalization has what to do with cryptography, I personally think this list is about users of crypto, rather than cryptographers-creators in particular. The former are mostly computer scientists who think in

Re: [cryptography] Oddity in common bcrypt implementation

2011-06-28 Thread Ian G
On 28/06/11 11:25 AM, Nico Williams wrote: On Tue, Jun 28, 2011 at 9:56 AM, Marsh Rayma...@extendedsubset.com wrote: Consequently, we can hardly blame users for not using special characters in their passwords. The most immediate problem for many users w.r.t. non-ASCII in passwords is not

Re: [cryptography] this house believes that user's control over the root list is a placebo

2011-06-27 Thread Ian G
On 26/06/11 1:26 PM, Marsh Ray wrote: On 06/25/2011 03:48 PM, Ian G wrote: On 21/06/11 4:15 PM, Marsh Ray wrote: This was about the CNNIC situation, Ah, the I'm not in control of my own root list threat scenario. See, the thing there is that CNNIC has a dirty reputation. That's part

Re: [cryptography] this house believes that user's control over the root list is a placebo

2011-06-26 Thread Ian G
On 26/06/11 5:50 AM, Ralph Holz wrote: Hi, Any model that offers a security feature to a trivially tiny minority, to the expense of the dominant majority, is daft. The logical conclusion of 1.5 decades worth of experience with centralised root lists is that we, in the aggregate, may as well

[cryptography] this house believes that user's control over the root list is a placebo

2011-06-25 Thread Ian G
On 21/06/11 4:15 PM, Marsh Ray wrote: On 06/21/2011 12:18 PM, Ian G wrote: On 18/06/11 8:16 PM, Marsh Ray wrote: On 06/18/2011 03:08 PM, slinky wrote: But we know there are still hundreds of trusted root CAs, many from governments, that will silently install themselves into Windows

Re: [cryptography] Is Bitcoin legal?

2011-06-16 Thread Ian G
On 16/06/11 12:34 AM, John Levine wrote: Bitcoins aren't securities, because they don't act like securities. Right. Or more particularly, he asked: ... I can’t help wondering why Bitcoins aren’t unregistered securities. And the answer is that the registrar of securities defines what

Re: [cryptography] Crypto-economics metadiscussion

2011-06-14 Thread Ian G
On 14/06/11 2:31 AM, Marsh Ray wrote: I 'aint no self-appointed moderator of this list and I do find the subject of economics terribly interesting, but maybe it would make sense to willfully confine the scope of our discussion of Bitcoin and other virtual currencies to the crypto side of it.

Re: [cryptography] Crypto-economics metadiscussion

2011-06-14 Thread Ian G
On 15/06/11 12:47 AM, Ian G wrote: Or worse: http://forum.bitcoin.org/index.php?topic=16457.0 That link is down, no surprise. From my cached copy, I wrote it up on the blog: http://financialcryptography.com/mt/archives/001327.html Far too much from me, signing out... iang

[cryptography] Is BitCoin a triple entry system?

2011-06-13 Thread Ian G
On 13/06/11 12:56 PM, James A. Donald wrote: On 2011-06-12 8:57 AM, Ian G wrote: I wrote a paper about John Levine's observation of low knowledge, way back in 2000, called Financial Cryptography in 7 Layers. The sort of unstated thesis of this paper was that in order to understand this area you

Re: [cryptography] Digital cash in the news...

2011-06-13 Thread Ian G
On 13/06/11 5:54 PM, Adam Back wrote: Bitcoin is not a pyramid scheme, and doesnt have to have the collapse and late joiner losers. If bitcoin does not lose favor - ie the user base grows and then maintains size of user base in the long term, then no one loses. Um, Adam, that's the very

Re: [cryptography] Digital cash in the news...

2011-06-12 Thread Ian G
On 12/06/11 4:21 PM, Peter Gutmann wrote: Am I the only one who thinks it's not coincidence that the (supposed) major use of bitcoin is by people buying hallucinogenic substances? The best way to think of this is from the marketing concepts of product diffusion or product life cycle.

Re: [cryptography] attacks against bitcoin

2011-06-12 Thread Ian G
On 12/06/11 8:16 PM, Eugen Leitl wrote: How safe is the bitcoin cryptosystem and the communication network against targeted attacks? It depends on what the intention or objective of the attack is. And that depends on the threat actor. For example, a phishing threat actor would be looking

Re: [cryptography] Digital cash in the news...

2011-06-11 Thread Ian G
On 12/06/11 8:29 AM, Jeffrey Walton wrote: On Sat, Jun 11, 2011 at 4:13 PM, John Levinejo...@iecc.com wrote: Unlike fiat currencies, algorithms assert limit of total volume. And the mint and transaction infrastructure is decentral, so there's no single point of control. These both are very

Re: [cryptography] Preserve us from poorly described/implemented crypto

2011-06-07 Thread Ian G
On 6/06/11 11:57 AM, David G. Koontz wrote: On 5/06/11 6:26 PM, Peter Gutmann wrote: That's the thing, you have to consider the threat model: If anyone's really that desperately interested in watching your tweets about what your cat's doing as you type them then there are far easier attack

Re: [cryptography] encrypted storage, but any integrity protection?

2011-01-16 Thread Ian G
On 14/01/11 5:40 AM, travis+ml-rbcryptogra...@subspacefield.org wrote: So does anyone know off the top of their head whether dm-crypt or TrueCrypt (or other encrypted storage things) promise data integrity in any way, shape or form? I'm assuming they're just encrypting, but figured I'd ask

Re: [cryptography] wanted: recommendations for best papers in cryptology

2011-01-08 Thread Ian G
Following is written as a user perspective, not a cryptography perspective :) On 8/01/11 1:03 PM, travis+ml-rbcryptogra...@subspacefield.org wrote: Hey all, I'm attempting to create an extensive archive of papers on -graphy and -analysis, locally stored and broken down by category/hierarchy,

Re: [cryptography] Fwd: [gsc] Fwd: OpenBSD IPSEC backdoor(s)

2010-12-17 Thread Ian G
(resend, with right sender this time) On 17/12/10 3:30 PM, Peter Gutmann wrote: To put it more succinctly, and to paraphrase Richelieu, give me six lines of code written by the hand of the most honest of coders and I'll find something in there to backdoor. This is the sort of extraordinary

Re: [cryptography] current digital cash / anonymous payment projects?

2010-12-01 Thread Ian G
On 1/12/10 6:12 AM, travis+ml-rbcryptogra...@subspacefield.org wrote: Can anyone give me a good rundown of the current anonymous payment systems, technologies and/or algorithms? OK, there are some issues here. There is technology, algorithms, patents, techniques, protocols, applications,

Re: [cryptography] current digital cash / anonymous payment projects?

2010-12-01 Thread Ian G
On 2/12/10 1:36 AM, Rayservers wrote: Not really, but one thing is: if you build it bottom-up, from the crypto, you'll have trouble :) Instead, look to the business, and go bottom down. You mean top down... :) Oh, snap! Yes, exactly. iang Which is exactly going on here:

Re: [cryptography] AES side channel attack using a weakness in the Linux scheduler

2010-11-26 Thread Ian G
On 25/11/10 3:26 AM, Jack Lloyd wrote: What are people's thoughts on these kinds of local cache attacks, in terms of actual systems security? While obviously very powerful, I tend to think that once you have a focused attacker in an unprivledged account on your machine, you have bigger problems

[cryptography] not trusted

2010-11-22 Thread Ian G
On 21/11/10 11:19 PM, Peter Gutmann wrote: Ian Gi...@iang.org writes: It sucks so badly, I decided in future that the only moral and ethical way one could use the words encryption or security or the like in any conversation was if the following were the case: there is only one mode, and

Re: [cryptography] philosophical question about strengths and attacks at impossible levels

2010-11-21 Thread Ian G
On 21/11/10 8:37 AM, Marsh Ray wrote: On 11/19/2010 05:39 PM, Ian G wrote: I don't think this qualifies as a bait-and-switch scenario because the originally-advertised functionality (the bait) is still part of the package. :) Bait-and-switch would be more like a salesperson saying

Re: [cryptography] patents and stuff (Re: NSA's position in the dominance stakes)

2010-11-20 Thread Ian G
On 21/11/10 2:45 AM, John Levine wrote: By the way, what does all this semi-informed ranting about patents have to do with cryptography? NSA's dominance in security engineering? = example of DES-era crypto dominance = ECC push today means? = patents complication = war of words! The

Re: [cryptography] philosophical question about strengths and attacks at impossible levels

2010-11-19 Thread Ian G
On 20/11/10 2:10 PM, James A. Donald wrote: Ian G wrote: On this I would demure. We do have a good metric: losses. Risk management starts from the business, and then moves on to how losses are effecting that business, which informs our threat model. We now have substantial measureable history