RE: U.S. seeks OSCE pact on biometric passports

> Duncan Frissell[SMTP:[EMAIL PROTECTED] writes: > > Anyone have any pointers to non destructive methods of rendering Smart > Chips unreadable? Just curious. > > > On Mon, 1 Sep 2003, R. A. Hettinga wrote: > > > > r>

Re: PRNG design document?

On Fri, Aug 29, 2003 at 03:43:40PM -0400, Tim Dierks wrote: > [snip] > > Allow me to clarify my problem a little. I'm commonly engaged to review > source code for a security audit, some such programs include a random > number generator, many of which are of ad-hoc design. The nature of such > au

Re: Is cryptography where security took the wrong branch?

In message <[EMAIL PROTECTED]>, Ian Grigg <[EMAIL PROTECTED]> wrote: > For example, he states that 28% of wireless > networks use WEP, and 1% of web servers use SSL, > but doesn't explain why SSL is a "success" and > WEP is a "failure" :-) Actually, he does; slide 11 is titled "Why has SSL succeed

Re: PRNG design document?

"Anton Stiglic" <[EMAIL PROTECTED]> writes: >It is important to chose both a random seed and random key, and FIPS 140 has >no provision for this. Yes it does, you just have to interpret it correctly. The post-processed pool output [from the cryptlib generator] is not sent directly to the cal

Re: invoicing with PKI

Hadmut Danisch <[EMAIL PROTECTED]> writes: >There was an interesting speech held on the Usenix conference by Eric >Rescorla (http://www.rtfm.com/TooSecure-usenix.pdf, unfortunately I did not >have the time to visit the conference) about cryptographic (real world) >protocols and why they failed to

Re: U.S. seeks OSCE pact on biometric passports

At 04:50 PM 9/2/03 -0400, Duncan Frissell wrote: >Anyone have any pointers to non destructive methods of rendering Smart >Chips unreadable? Just curious. > >DCF Perhaps I'm being dense but how could this be non-destructive? Do you mean "non-obvious"? Or "reversible"? If the usual microwave g

Re: invoicing with PKI

-- On 1 Sep 2003 at 12:23, Ian Grigg wrote: > I suspect the widest use of public key crypto in a non-PKI > context would be SSH, which opportunistically generates keys > rather than invite the user to fund a PKI. According to this > page [1], there may or may not be 2,400k SSH servers This of

Re: invoicing with PKI

-- On 1 Sep 2003 at 19:17, Hadmut Danisch wrote: > Is cryptography where security took the wrong branch? True names is where security took the wrong branch. The entire PKI structure has been rejected. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG

Re: invoicing with PKI

Peter Gutmann wrote: > > Hadmut Danisch <[EMAIL PROTECTED]> writes: > > >There was an interesting speech held on the Usenix conference by Eric > >Rescorla (http://www.rtfm.com/TooSecure-usenix.pdf, unfortunately I did not > >have the time to visit the conference) about cryptographic (real world)

Re: Is cryptography where security took the wrong branch?

Eric Rescorla wrote: > > Ian Grigg <[EMAIL PROTECTED]> writes: > > That's a scary talk! I see a lot of familiar > > stuff, but it seems that whilst Eric courts the > > dark side of real security, he holds back from > > really letting go and getting stuck into SSL. > > > > For example, he states t

Re: Is cryptography where security took the wrong branch?

Ian Grigg <[EMAIL PROTECTED]> writes: >There appear to be a number of metrics that have been suggested: > > a. nunber of design "wins" > b. penetration into equivalent unprotected market > c. number of actual attacks defeated > d. subjective good at the application level > e. worthl

Re: Is cryptography where security took the wrong branch?

Ian Grigg <[EMAIL PROTECTED]> writes: > Eric Rescorla wrote: > > Ian Grigg <[EMAIL PROTECTED]> writes: > > I think it's pretty > > inarguable that SSL is a big success. > > One thing that has been on my mind lately is how > to define success of a crypto protocol. I.e., > how to take your thoughts

Re: invoicing with PKI

>Peter Gutmann wrote: >>It's no less secure than what's being done now, and >>since you can make it completely invisible to the user at least it'll get >>used. If all new MTA releases automatically generated a self-signed cert and >>enabled STARTTLS, we'd see opportunistic email encryption adopted

Re: Is cryptography where security took the wrong branch?

At 10:09 PM 9/2/2003 +, Michael Shields wrote: I would agree that HTTPS has been more successful than WEP, in the sense of providing defense against real threats. HTTPS actually defends against some real attacks, providing an effective answer to a clearly defined problem: preventing the exposu

Re: invoicing with PKI

At 11:41 PM 9/2/2003 -0700, James A. Donald wrote: True names is where security took the wrong branch. The entire PKI structure has been rejected. x.509 identity certificates are business processes ... not a cryptography process. as I've mentioned elsewhere many of the institutions that looked a

Re: PRNG design document?

On Fri, Aug 29, 2003 at 03:45:50PM -0400, Thor Lancelot Simon wrote: > I think there's some confusion of terminology here. A "time", Ti for each > iteration of the algorithm, is one of the inputs to the X9.17 generator > (otherwise, you might as well just use DES/3DES in any chaining or feedback >

Re: Is cryptography where security took the wrong branch?

In message <[EMAIL PROTECTED]>, Ian Grigg <[EMAIL PROTECTED]> wrote: > One thing that has been on my mind lately is how > to define success of a crypto protocol. There are two needs a security protocol can address. One is the need to prevent or mitigate real attacks; the other is to make people f