On Sun, Sep 11, 2011 at 10:45 AM, Peter Gutmann
pgut...@cs.auckland.ac.nz wrote:
James A. Donald jam...@echeque.com writes:
On 2011-09-11 9:10 AM, Andy Steingruebl wrote:
1. Phishing isn't the only problem right?
2. To some degree this is a game where we have to guess their next
step, and make
On 11/09/2011, at 10:02, James A. Donald jam...@echeque.com wrote:
On 2011-09-11 9:10 AM, Andy Steingruebl wrote:
1. Phishing isn't the only problem right?
Malware + breaches might be the other 2 biggies.
Note that the malware/pc takeover market was probably financed by profits from
On 2011-09-11 9:10 AM, Andy Steingruebl wrote:
1. Phishing isn't the only problem right?
On 2011-09-11 7:44 PM, Ian G wrote:
Malware + breaches might be the other 2 biggies.
We now know in principle how to make malware resistant operating
systems,
Lucky Green shamr...@cypherpunks.to writes:
We are also seeing a near universal call for fixes of the broken PKI
paradigm. I couldn't agree more that fixes - and indeed redesigns - are badly
needed and have been for some 15+ years. Pretty much since the day the word
PKI was coined. What I hear
On 2011-09-10 11:22 AM, Peter Gutmann wrote:
Lucky Greenshamr...@cypherpunks.to writes:
We are also seeing a near universal call for fixes of the broken PKI
paradigm. I couldn't agree more that fixes - and indeed redesigns - are badly
needed and have been for some 15+ years. Pretty much since
On Fri, Sep 9, 2011 at 6:22 PM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote:
May I make the following modest proposal:
A fix (of whatever form you want to try) is only regarded as valid if it
leads to at least a 25% decrease in phishing, measured over the interval
before and after its
Andy Steingruebl a...@steingruebl.com writes:
Got a prioritized list? I'll tell you what I'm doing about them. Quite
seriously actually...
See my off-list reply (it's my earlier ref to the EuroPKI talk again :-), I'll
post the slides next week when I've done the talk.
Actually, figuring out
On 2011-09-11 3:38 AM, Peter Gutmann wrote:
(Success criteria are the ultimate acid test of any new initiative, which is
why you'll never, ever see them specified for government projects. All the
people proposing new Rube Goldberg schemes - me included - should feel
confident enough in them
On 7/09/11 7:34 AM, Fredrik Henbjork wrote:
Here's another gem related to the subject. In 2003 CAcert wished to have
their root certificate added to Mozilla's browser, and in the resulting
discussion in Bugzilla, Mozilla cryptodeveloper Nelson Bolyard had the
following to say:
I have no
Ian G i...@iang.org writes:
Hence, the well-known race-to-the-bottom, which is a big factor in DigiNotar.
Actually I'm not sure that DigiNotar was the bottom, since they seem to have
been somewhat careful about the certs they issued. The bottom is the cert
vending machines that will issue a
On 09/07/2011 10:00 AM, Peter Gutmann wrote:
Ian Gi...@iang.org writes:
Hence, the well-known race-to-the-bottom, which is a big factor in DigiNotar.
Actually I'm not sure that DigiNotar was the bottom, since they seem to have
been somewhat careful about the certs they issued. The bottom
Marsh Ray ma...@extendedsubset.com writes:
Do we need then a whole spectrum of Super Validation, Hyper Validation,
and Ludicrous Validation to address the ridiculous deficiencies found in
these current pwned EV CAs?
It has been suggested that we need a kind of meta-CA or CA for CAs (CACA).
Then
|
| It has been suggested that we need a kind of meta-CA or CA for CAs (CACA).
| Then the browser vendors could code CACA into the browsers, and we'd all be
| trusting in CACA.
|
| Or maybe we already are.
|
Peter (or anyone) -- would you comment on the existence and
practice of bridge
13 matches
Mail list logo