At 12:20 PM 2/4/2002, Bill Stewart wrote:
>A smartcard-only system probably _is_ too limited to generate keys,
>but that's the only realistic case I see.
Here are some manufacturer claims for the DataKey 330 smart card: average
of 23 seconds to generate a 1,024-bit RSA key, average of 3 minutes
At 02:46 PM 1/28/2002, [EMAIL PROTECTED] wrote:
>The process took about 20-30 minutes;
Have you been fingerprinted before? Did it take that long in that case? In
my own experience, it only takes a few minutes to be fingerprinted on a
standard card and, in theory, they should be able to build a
The essential problem I've always seen with biometrics (and one that
Dorothy Denning acknowledged in her recent op ed piece without seriously
examining) is the question of whether it's as efficient to deploy and
manage biometrics safely as it is to deploy and manage some keyed
alternative like
At 06:48 PM 11/5/2001, David Jablon wrote:
>Yet, strong network-based authentication of people does not require
>complex secret information ... if "complex" means demanding
>at least {64, 80, 128} random bits.
>
>With emerging strong password schemes, your average one-in-a-thousand
>or one-in-a-m
At 11:01 AM 11/5/2001, [EMAIL PROTECTED] wrote:
>The problem with all authentication technologies in use today from
>biometrics to PKI to digital certs, all finesse the identification process
>and push it off to some "trusted" third party...all without clearly
>defining what that third party m
At 09:49 AM 11/5/2001, [EMAIL PROTECTED] wrote:
>I tend to agree with you that we should extend the meaning
>of end-to-end to mean user-to-user, instead of device or
>token-to-token.
I'm not sure what this means.
If we get really specific, then a transaction between me and
a small used-book sel
At 11:59 AM 11/2/2001, vertigo wrote:
>I'm sorry, but I think I entered this thread a little late. What was
>being said about .NET? I know very little about it, but from what you
>have said it sounds pretty scary.
The thread started with an op-ed piece by Diffie and Landau about MS .Net,
brie
At 09:00 AM 11/1/2001, Roop Mukherjee wrote:
>Can someone offer some criticism of the practice formal verification in
>general ?
Okay, I'll grab this hot potato.
There are a few cases where a commercial development organization performs
formal verification, which would seem to indicate that it
>Rick Smith at Secure Computing writes:
> > While I would feel compassion for consumers
> > who are hurt or inconvenienced by some huge scam that exploited a poor
> > Microsoft security implementation, such a scenario would be
> entertaining to
> > watch.
At 11:44 AM 11/2/2001, vertigo wrote:
>The point is, without this cosmic notion of trust, _I_ could walk into a bank
>in semi-rurual Turkey and pull hundreds of dollars from YOUR credit card ac-
>count.
Of course. But this hasn't prevented people from acquiring and using credit
cards. More to t
At 11:08 AM 11/1/2001, vertigo wrote:
> It appears that a lot
>of work has to be done and a lot of money spent before even a small amount of
>trust in an individual's proof of identity (on a world- or Internet-wide
>scale) can be established.
Hmmm. I'm able to walk into a bank in semi-rural Ita
At 09:59 AM 10/16/2001, Peter Fairbrother wrote:
>The affidavit is extremely complex and hard to unravel, whether to try to
>preserve secrecy, in the hope that it will confuse the defence/Court, or
>perhaps it's just legalese, I don't know.
I spoke to someone a couple of years ago who had tried
At 05:21 AM 10/16/2001, Ben Laurie wrote:
>Rick Smith at Secure Computing wrote:
> > >Is this a serious security failure in PGP?
> >
> > No, it's a problem with any programmable computer. If you can install new
> > programs, you can install changes to existing
Stripping off the precise legal language, this looks like a software
keystroke logger that was carefully crafted to collect a PGP passphrase
while collecting as little other data as possible. Collecting evidence is
tricky business. You have to collect exactly the information you need, but
you
At 11:41 AM 10/2/2001, Bill Stewart wrote:
>At 07:23 PM 10/02/2001 +0300, Sampo Syreeni wrote:
>>Or integrate some computing power into those IBM thingies, and use
>>remotely keyed encryption. Enough power is available through USB so that
>>you don't have to end up with battery power.
>
>Sounds li
At 03:01 PM 9/30/2001, Dan Geer wrote:
> > Or in other words, the first requirement for perimeter security is
> > a perimeter.
>
>Wireless networks have no interior.
What you have is a perimeter that shrinks to that of the individual
devices. And you have to slice and dice your security pol
At 05:44 PM 9/24/2001, [EMAIL PROTECTED] wrote:
>In increasingly many environments, the term "perimeter" makes little sense.
>See, for example, the CCS-2000 paper on Distributed Firewalls by Sotiris
>Ioannidis et al. You can get it (among other places) from
>http://www.research.att.com/~smb/pape
There are obviously a number of arguments that even Senators might listen to.
1) This Act actually creates two types of computers: those that comply with
the Act and those that don't comply.
2) This Act artificially inflates the cost of a basic PC, making it much
harder to install them in scho
Declan McCullagh quoted the Post article:
>http://washingtonpost.com/wp-dyn/articles/A55606-2001Aug9.html
>"...Although agreeing that surveillance should be done under strict
>guidelines, Baker said that "to a degree, the privacy groups got us into
>this by arguing that there should be no limit
At 01:13 PM 7/27/2001, Steven M. Bellovin wrote:
>It's certainly not broad enough -- it protects "encryption" research,
>and the definition of "encryption" in the law is meant to cover just
>that, not "cryptography". And the good-faith effort to get permission
>is really an invitation to harrass
One of those recently posted lists of quotations included a reference to
Microsoft Knowledge Base article Q276304, from late June, which described
the following problem:
"SYMPTOMS
If you log on to an MIT realm, press CTRL+ALT+DELETE, click Change
Password, type your existing MIT password, and
21 matches
Mail list logo