his question need not be addressed now ( P(Y) unknown as t=0! ).
That's my usual list of questions. They may or may not apply to your
situation.
Thanks for sharing this.
- Thierry Moreau
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
current noise source:
- thermal noise
- excess current noise caused by the above resistor material construction
Noise sources to be reduced (as a matter of sampling approach coherency)
- electrostatic ...
- electromagnetic ...
Any thoughts?
Regard
important lessons, as a straightforward
solution path for a basic and recurring issue in IT security. Yet, the
difficult aspects of applied cryptography remain difficult, the document
being explicit about them.
Thus, why TLS?
- Thierry Moreau
___
cr
digital electronics paradigms prevailing
in a few mainstream system architectures. Is this effective versus some
criteria for RNG quality? Is this good enough for you?
It's your duty to figure out, I guess.
Regards,
- Thierry Moreau
___
cryptog
=
Who wants to be optimistic with respect to threat models in the current
IT landscape?
Do you?
(I much liked what I glimpsed from the original post.)
- Thierry Moreau
makes it look rather inconvenient to me.
--
Tony Arcieri
_
forensic tool created for them more than they
need the data on this specific iPhone (as I initially guessed), the risk
of a bad ruling for them would be a major step back in their creative
procurement of forensic tools. Hence the USG would prefer no ruling.
Regards,
- Thierry Moreau
s for not making a contribution out of my opinion
(you may use this message as you see fit).
Thanks in advance for comments!
- Thierry Moreau
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
s for not making a contribution out of my opinion
(you may use this message as you see fit).
Thanks in advance for comments!
- Thierry Moreau
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
Hi,
Here is a quick review of the FIDO alliance authentication proposal [1].
After looking superficially at the specifications documentation [2], I
came to the tentative summary below. I did not feel a need to delve into
the companion documentation set [3].
Core cryptographic principles:
(
On 05/12/15 00:16, ianG wrote:
On 11/05/2015 17:56 pm, Thierry Moreau wrote:
On 05/09/15 11:18, ianG wrote:
Workshop on Elliptic Curve Cryptography Standards
June 11-12, 2015
I doubt the foremost questions will be addressed:
To which extent NSA influence motivates NIST in advancing the ECC
decisions,
but the very challenges of an efficient secure hash algorithm seems to
be the root cause, and not the NIST competition process.
With ECC, I have less confidence in NIST ability to leverage the
cryptographic community contributions.
- Thie
lection
should be part of the operating system service definition for
/dev/?random offered for cryptographic purposes but I have just a vague
idea of whether and how the open source community might move in this
direction.
Entropy is forever ... until a data leak occurs.
A diamo
Hi,
here is this new document:
"The Evanescent Security Module, Concepts and Linux Usage Strategies"
http://www.connotech.com/doc_ei_secmod.html (corrected URL)
(Not an April fool announcement despite the funny name for an HSM!)
Enjoy!
- Thie
Hi,
here is this new document:
"The Evanescent Security Module, Concepts and Linux Usage Strategies"
http://www.connotech.com/doc_ei_secomd.html
(Not an April fool announcement despite the funny name for an HSM!)
Enjoy!
- Thie
hniques would include a periodic look at patent applications freshly
published in this area and/or by the known players.
Fascinating case study anyway!
Regards,
- Thierry Moreau
___
cryptography mailing list
cryptography@randombit.net
http://list
s.
Lotus Notes security is special because it evolved from an RSA
technology license acquired prior to RSADSI, and they use certificates
without the ASN.1/X.509 paradigms.
Regards,
- Thierry Moreau
___
cryptography mailing list
cryptograp
wn about the
attack if not told by an insider.
Insider comsec disclosures may be finally getting legs,
not yet long, but more than NDA-official secrecy paralysis.
Any other cryptographer attacked (as if it would be known)?
--
- Thierry Moreau
___
cryptography
Tony Arcieri wrote:
On Thu, Jan 9, 2014 at 7:51 AM, Thierry Moreau
mailto:thierry.mor...@connotech.com>> wrote:
I would suggest that the DNSSEC deployment at the root would be a
good case study for IT security management, from an historic
perspective. The primary source doc
e NIST-approved solutions: they have much more
freedom when doing otherwise.
Have fun with key management challenges!
--
- Thierry Moreau
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
able to ICANN aren't available to you), you
may need to revise your understanding of underlying principles (hint:
don't start by reverse engineering the PKCS#12 specifications).
You may want to do it "best practice" and there you go.
Good luck
--
- Thierry Moreau
ianG wrote:
On 18/11/13 20:58 PM, Thierry Moreau wrote:
ianG wrote:
On 18/11/13 10:27 AM, ianG wrote:
In the cryptogram sent over the weekend, Bruce Schneier talks about how
to design protocols to stop backdoors. Comments?
To respond...
https://www.schneier.com/blog/archives/2013/10
agree with. Packets should be deterministically created
by the sender, and they should be verifiable by the recipient.
Then you lose the better theoretical foundations of probabilistic
signature schemes ...
--
- Thierry Moreau
___
cryptography
(it says it's already
enrolled while in fact it no longer works).
Solving this issue in your experiment is going to re-introduce much of
the PKI complexity.
Sorry for asking tough questions, but maybe they would pop up sooner or
later if this experiment goes forward.
Guido Witmond wrote:
On 09/30/13 19:31, Thierry Moreau wrote:
Perspective: I'm still working towards a working prototype based on
(A) the client PPKP usage paradigm (Public-Private Key Pair)
(B) the first party certification paradigm (get rid of requesting any
client PKI certificate fro
h you that the DH forcing a MITM arrangement is a useful
line of defense.
I question the marginal benefit of upgrading from a deployed base where
DH was omitted at the outset, under the PFS argument alone.
Regards,
- Thierry
Adam
On Thu, Jul 04, 2013 at 11:16:21AM -0400, Thierry Moreau
I would rather get users to raise their awareness and self-defense
against client system insecurity (seldom a cryptographer achievement).
--
- Thierry Moreau
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
n the tailoring project, you might find
that GPG is an overkill when only hash/signature validation is required.
This is sort of a trusting trust question.
So you knew the answer already.
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1
y by management exhaustion (the time we discuss this vs others ...).
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1
Tel. +1-514-385-5691
___
cryptography mailing list
cryptography@ran
Peter Gutmann wrote:
Jeffrey Walton writes:
Android 4.0 and above also offer a Keychain (
http://developer.android.com/reference/android/security/KeyChain.html). If
using a lesser version, use a Keystore (
http://developer.android.com/reference/java/security/KeyStore.html).
What Android give
termeasures for
hardware-specific threats.
[...] how to limit the
possibilities of attacking the keys from another app.
OK, now you insert O/S abstraction and O/S-specific threats.
Regards,
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montr
unt of points required etc.
That way, one could provide services without the requirement of
registration, and still effectively limit abuse?
That's the early dream of a global PKI. Nowadays, we know more.
Regards,
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 P
a entry for transponder) during the emergency
landing. Thus the decision to land at the major airport (instead of a
secondary airport with less traffic in conflict but lower grade
facilities) is taken based on the "fail-safe" property of the
aircraft-to-ATC communicatio
Peter Gutmann wrote:
Thierry Moreau writes:
The Bleichenbacher attack adaptation to OAEP is non-existent today and would
be an even more significant academic result. I must assume that
Bleichenbacher would have published results in this direction if his research
would have given those
, i.e. resist Bleichenbacher even if the oracle still remains.
Regards,
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1
Tel. +1-514-385-5691
___
cryptography mailing list
cryptography@randombi
ret random source dependency).
However I haven't seen any other code doing this - it is mostly PKCS1,
etc, and RFC3447 doesn't enlighten in this direction.
Could OAEP be considered reasonable for signatures? or is this a case
of totally inappropri
James A. Donald wrote:
On 2013-01-18 1:17 AM, Thierry Moreau wrote:
First, replace "client certificate" by client PPKP (public-private
key pair) and be ready for a significant training exercise. The
more the trainee knows about X.509, the greater challenge for the
trainer.
I
rganization and you will quickly reveal that
the participants' security is ineffective in the first place
against the bad bad boys.) I don't have any answer beyond a
suggestion to deploy first for security-critical distributed
applications (those would typically not be browser-based).
Regar
; and explained how
server authentication is effected.
Whether service agreements refer to these notions when they pretend to
offer a secure connection could be argued in an arbitration forum, but
this should be clear for the "experts" on this list.
Regards,
--
- Thierry Moreau
CO
John Kemp wrote:
[...] the _spirit_ of end-to-end semantics is violated here, I believe [...]
Personally, I am not a spiritual cryptography believer.
--
- Thierry Moreau
___
cryptography mailing list
cryptography@randombit.net
http
I support his main point. End-to-end security should make
some sense, even today.
Regards,
--
- Thierry Moreau
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
o make academic results and IT
security innovation more palatable to IT experts. This is how I feel
responsible for the hopeless phishing minefield!
Regards,
--
- Thierry Moreau
___
cryptography mailing list
cryptography@randombit.net
htt
above
sketchy observation and the press article title.
Regards,
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1
Tel. +1-514-385-5691
___
cryptography mailing list
cryptography@randombit.net
http
t B."
Application-level security breaches deserves application-level
countermeasures. IT security is a hindrance.
Regards,
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1
Tel. +1-514-385-5691
__
pears as a lightweight IPsec, but certainly others can offer
more wisdom in this respect.
Not a simple solution, but how could the original post requirements be
adequately served by a simple solution?
Regards,
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgo
Solar Designer wrote:
On Tue, Oct 30, 2012 at 11:29:17AM -0400, Thierry Moreau wrote:
Isn't memory-space cleanse() isolated from file system specifics except
for the swap space?
Normally yes, but the swap space may be in a file (rather than a disk
partition), or the swap partition may be
an existing one, sanitize the removed one (low-level, below file
system), put it back into the available set of partitions. I did not
experiment in practice.
But that "partition sanitation" strategy ought to be part of an "open
HSM" type of project.
--
- Thierry Moreau
CONNOTE
load between signer and
verifier are reversed (RSA signature is more CPU-intensive, DSA
verification is more CPU-intensive).
Regards,
--
- Thierry Moreau
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/lis
Hi Ian!
Thanks for this thoughtful feedback.
Your first and explicit question (about application security requirement
assumptions) deserves an answer. I respond to it (and a few more) and
postpone replies to other feedback.
ianG wrote:
Hi Thierry,
On 14/10/12 01:21 AM, Thierry Moreau
n covers both the private key and the
certificate does not help (you need to enter the private key access
password for accessing the certificate or even just the public key in a
PKCS#12 file).
Thanks in advance for sharing your views.
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130
, my primary
focus is not the low-value authenticated web session use case.
Accordingly, some of the observations above may be out-of-sync with the
real world challenges.
- Thierry Moreau
___
cryptography mailing list
cryptography@randombit.net
http
cure storage
arrangements and networks. The attack challenges the effectiveness of
encryption for sensitive keys.
--
- Thierry Moreau
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
contribution.
Take care my friends, meaning that is you see yourself as an applied
cryptographer, "spot the oracle".
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1
Tel. +1-514-385-5691
_
ould I share a conclusion with
potential enemies? You may as well (truly random) draw your own conclusion.
Regards,
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1
Tel. +1-514-385-5691
___
wnload-the-latest-bull-mountain-software-implementation-guide/
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1
Tel. +1-514-385-5691
___
cryptography mailing list
cryptography@randombit.net
htt
Hi Peter,
Replying on the thinking process, not on the fundamentals at this time
(we seem to agree on the characteristics of PKC vs else).
Peter Gutmann wrote:
Thierry Moreau writes:
Unless automated SSH sessions are needed (which is a different problem
space), the SSH session is directly
andle your encrypted SSH
private key in a lousy way. But it seems inappropriate to assume that
better ways are not feasible.
Regards,
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1
Tel. +1-514-385-5691
__
ike a notarization use case of crypto, with the attempt to
implement the notarization service without the help of a trusted
[timestamp/historic evidence] third party.
Just my attempt to summarize a lengthy explanation ... no further comments.
Regards,
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
Ian,
Thanks for this info, very interesting to see deployment experience for
successful client PK key pairs.
ianG wrote:
On 27/04/12 03:34 AM, Thierry Moreau wrote:
Here is the rationale for the question:
If an end-user has a certificate, he (more or less consciously) controls
a private
Follow-up on my own post below ...
Thierry Moreau wrote:
A question for those who follow PKI usage trends.
Is there a list of CAs that issue X.509 end-user certificates?
Here is the rationale for the question:
If an end-user has a certificate, he (more or less consciously) controls
a
based on casual observations. Also,
the SSL debugging tools will report the contents of CertificateRequest
messages from public servers supporting client certs.
Anyone went through such data collection before?
Thanks in advance.
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place
Jonathan Katz wrote:
On Mon, 26 Mar 2012, Thierry Moreau wrote:
Florian Weimer wrote:
* Thierry Moreau:
The unusual public RSA exponent may well be an indication that the
signature key pair was generated by a software implementation not
encompassing the commonly-agreed (among number
Florian Weimer wrote:
* Thierry Moreau:
The unusual public RSA exponent may well be an indication that the
signature key pair was generated by a software implementation not
encompassing the commonly-agreed (among number-theoreticians having
surveyed the field) desirable strategies.
I don
Please let me try to summarize.
I guess it is OK to infer from Adam explanations and Peter observation
about homegrown CA software implementations used by some CAs that ...
The unusual public RSA exponent may well be an indication that the
signature key pair was generated by a software implem
pected to provide.
What is the problem being addressed and to who does the main benefit
accrue / from whom involvement is expected? Once I can see these, I may
appreciate Apache and browser backward compatibility features and the like.
Thanks for your patience with my scrutiny.
--
- Thierry Mor
definition.
Anyway, this whole thing about RSA modulus GCD findings questions us
about entropy in a renewed perspective (a reminder that future attack
vectors are deemed to be unexpected ones).
Regards,
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Cana
esign is seldom at stake.
Just my view, enjoy!
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1
Tel. +1-514-385-5691
___
cryptography mailing list
cryptography@randombit.net
http://l
Ben Laurie wrote:
On Fri, Feb 17, 2012 at 8:39 PM, Thierry Moreau
wrote:
Ben Laurie wrote:
On Fri, Feb 17, 2012 at 7:32 PM, Thierry Moreau
wrote:
Isn't /dev/urandom BY DEFINITION of limited true entropy?
$ ls -l /dev/urandom
lrwxr-xr-x 1 root wheel 6 Nov 20 18:49 /dev/urandom ->
I'd like to see it get sorted out well enough that kernels
can save the tens of KiB of nonpageable RAM they use for their entropy
pools
Maybe you want to be cheap and secure at once. Good luck.
Regards,
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Ben Laurie wrote:
On Fri, Feb 17, 2012 at 7:32 PM, Thierry Moreau
wrote:
Isn't /dev/urandom BY DEFINITION of limited true entropy?
$ ls -l /dev/urandom
lrwxr-xr-x 1 root wheel 6 Nov 20 18:49 /dev/urandom -> random
The above is the specific instance on your environment.
heoretical properties of the (deterministic) PRNG component of
/dev/urandom, they can not expand *true* entropy.
And this is so, no matter the amount of details you delegate to reputed
security software developers.
Regards,
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de M
Additionally, it should be easy to disable a root CA
certificate when shown to be the current basis of trust for some content.
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1
Tel. +1-514-385-5691
__
Regards,
--
- Thierry Moreau
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
ion management, but you seldom see them
addressed in public records of secure operations (the ICANN DNSSEC root
KSK management is the exception).
Regards,
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1
Tel. +1-514-385-5691
_
scenario occurred) by
the way the triple-DES upgrade project success has been described by a
bank technology specialist who would have been aware of the incident(s).
- Thierry Moreau
Again, I'm not arguing with Drew Gross's observation. It is just a bit
extreme to say it
;a CPU
unlikely to be infected by a Trojan". From there, you either pay for the
certification gimmick, or you mend your own solution. This is the basis
for an "open source HSM" ...
Regards,
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place
he hostile web page needs a Trojan
to get it. This raises the bar.
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1
Tel. +1-514-385-5691
iang
Adam
On Mon, Sep 26, 2011 at 07:52:20AM +1000, ianG wrote:
On 25/09/11 10:09 AM, James A.
s not been very explicit about identity assertion
model. But the other two models are operating here and there in the IT
security landscape.
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1
Tel.
Certificates with Domain Names For TLS)
Regards,
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1
Tel. +1-514-385-5691
___
cryptography mailing list
cryptography@randombit.net
http
e else than on one of these devices. Gone the
phishing threat!
About the answer to the question with the narrower point of view, it
really depends on having access to the design and implementation details
and being able to make a security/technological review.
Regards,
--
- Thierry Moreau
ryptographic processing which makes everything more error-prone.
Just my 0.02 cents.
- Thierry Moreau
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
y software process hosted in a virtualization environment be
provided with a) a secret random source, b) a place to store long-term
secrets, and c) some mechanism for external assessment of software
integrity?
Regards,
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
re server is not hacked locally
on my laptop given that my children could have had root access to it at
least on one occasion? (OK, I could trust them more than the Air Force,
but you should see the point.)
Regards,
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
it expires January 29, 2017.
The 1994.07.29 filing was followed by the PCT/CA95/00452 filed on
1995.07.31 which starts the 20 years patent term for the US patent
6141420. This is what I infer from looking at the first page of the
patent image.
Regards,
same
ius/fool ratio for out species, the odds
aren't very good".
Peter.
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1
http://www.connotech.com
___
cryptography mailing list
cryptograph
enforcement agencies are losing the ability to recover
deleted files as arguable court evidence. Nothing "catastrophic" since
the deleted file recovery feature is by accident in the other storage
technologies.
--
- Thierry Moreau
Alexander Klimov wrote:
It is also harder to rely on SSD a
(abstract reproduced
below).
Regards,
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1
Tel. +1-514-385-5691
Secret Random Source Design Notes
abstract
This document addresses the software and system design of a secret
random data source
x27;=0
c'=RSA_Enc( B_Pub, sk" ) +
RSA_Sig( A_pri, sk' || H( sk", sk', c' ) ) +
sk=H(sk",sk')
B maintains a database of outstanding values for sk' if it wishes to
validate the freshness.
Regards,
--
- Thierry Moreau
CONNOTECH Expert
at model, no critical security review, but compatibility,
performance, and usability review. Informative about a type of crypto
systems with a price tag that make then outside the reach of most of us.
Regards,
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 P
n may have caused the absence of a patent for the R-W scheme.
Hope it clarifies a bit!
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1
Tel. +1-514-385-5691
___
cryptography mailing list
cr
HA fingerprints and user
information in a version/revision control system, i.e. bare digital
signatures applied to stored data. No predefined interoperability
requirements. This looks like an opportunity to look at innovative
signature schemes from the body of mathematical knowledge.
Regards,
-
be critically dependent on (long term) secret
protection in the application deterministic processing, you may as well
apply secret protection mechanisms to the PRNG state, and enjoy the
"peace of mind" (modulo above bla bla bla) provided
Peter Gutmann wrote:
Thierry Moreau writes:
As a derived engineering strategy, wouldn't it be better to design a system
where the long-term secrets are kept in a "secure" co-processor,
Yes, of course, but that's asking the wrong question, what you need to ask
olution, "digital signatures" were
deemed to remain a laboratory curiosity (as a non-repudiation mechanism).
Regards,
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1
Tel. +1-514-385-5691
Thanks Sandy, Peter and Jack for the feedback.
Just one clarification on a question I ask myself, see below.
Sandy Harris wrote:
Thierry Moreau wrote:
Bursts of cryptographic operations consuming random data will
force either a PRNG expander of randomness or true random data buffering
erties.
Comments are welcome!
CAVEAT
Elsewhere with the PUDEC proposal (http://pudec.connotech.com), I make
an argument for a unique arrangement featuring self-evident entropy
estimate but a random source data rate asymptotically close to zero.
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
91
95 matches
Mail list logo