Re: SSL, client certs, and MITM (was WYTM?)

2003-11-12 Thread Ian Grigg
Tom Weinstein wrote: The economic view might be a reasonable view for an end-user to take, but it's not a good one for a protocol designer. The protocol designer doesn't have an economic model for how end-users will end up using the protocol, and it's dangerous to assume one. This is

Re: SSL, client certs, and MITM (was WYTM?)

2003-11-12 Thread Peter Gutmann
Perry E. Metzger [EMAIL PROTECTED] writes: TLS is just a pretty straightforward well analyzed protocol for protecting a channel -- full stop. It can be used in a wide variety of ways, for a wide variety of apps. It happens to allow you to use X.509 certs, but if you really hate X.509, define an

Protection against offline dictionary attack on static files

2003-11-12 Thread Arcane Jill
Hi, It's possible I may be reinventing the wheel here, so my apologies if that's so, but it occurs to me that there's a defence against an offline dictionary attack on an encrypted file. Here's what I mean: Say you have a file, and you want to keep it secret. What do you do? Obviously you

Intel announces DRM-enabled motherboard

2003-11-12 Thread Peter Gutmann
Intel has just announced a desktop motherboard with Wave's Embassy chip built in at http://www.intel.com/design/motherbd/rh/index.htm. Embassy is a DRM chip that was more recently re-targeted slightly for, uhh, non-DRM TCPA/TPM/whatever when they realised that DRM hardware was a bit of a hard

Re: SSL, client certs, and MITM (was WYTM?)

2003-11-12 Thread Anton Stiglic
- Original Message - From: Tom Otvos [EMAIL PROTECTED] As far as I can glean, the general consensus in WYTM is that MITM attacks are very low (read: inconsequential) probability. I'm not certain this was the consensus. We should look at the scenarios in which this is possible, and

RE: SSL, client certs, and MITM (was WYTM?)

2003-11-12 Thread Anne Lynn Wheeler
Internet groups starts anit-hacker initiative http://www.computerweekly.com/articles/article.asp?liArticleID=125823liArti cleTypeID=1liCategoryID=2liChannelID=22liFlavourID=1sSearch=nPage=1 one of the threats discussed in the above is the domain name ip-address take-over mentioned previously

Re: SSL, client certs, and MITM (was WYTM?)

2003-11-12 Thread David Honig
At 07:11 PM 10/22/03 -0400, Perry E. Metzger wrote: Indeed. Imagine if we waited until airplanes exploded regularly to design them so they would not explode, or if we had designed our first suspension bridges by putting up some randomly selected amount of cabling and seeing if the bridge

Digital certificate clearinghouse needs work

2003-11-12 Thread Anne Lynn Wheeler
http://www.fcw.com/fcw/articles/2003/1020/web-fbca-10-22-03.asp Digital certificate clearinghouse needs work The mechanism that allows a digital certificate to be used across government agencies must be upgraded before it will be available for the entire government, a federal information

Re: SSL, client certs, and MITM (was WYTM?)

2003-11-12 Thread Anton Stiglic
I'm not sure how you come to that conclusion. Simply use TLS with self-signed certs. Save the cost of the cert, and save the cost of the re-evaluation. If we could do that on a widespread basis, then it would be worth going to the next step, which is caching the self-signed certs, and

Gresham's Law?

2003-11-12 Thread Russell Nelson
I wonder if the DMCA (why do those initials bring to mind a song by The Village People?) isn't invoking Gresham's Law? Gresham's Law says bad money drives out good, but it only applies when there is a legal tender law. Such a law requires that all money be treated equally -- as legal tender for

Re: Certicom? [...] [Fwd: NSA Turns To Commercial Software For Encryption]

2003-11-12 Thread R. A. Hettinga
--- begin forwarded text Status: U To: [EMAIL PROTECTED] Date: Mon, 27 Oct 2003 16:37:55 +0100 (CET) From: [EMAIL PROTECTED] (Dr. Robert J. Harley) Subject: Re: Certicom? [...] [Fwd: NSA Turns To Commercial Software For Encryption] List-Id: Friends of Rohit Khare fork.xent.com

PGP Corporation Announces Release of PGP Desktop 8.0.3

2003-11-12 Thread R. A. Hettinga
--- begin forwarded text Status: U Date: Fri, 24 Oct 2003 11:35:52 -0400 To: Philodox Clips [EMAIL PROTECTED] From: R. A. Hettinga [EMAIL PROTECTED] Subject: PGP Corporation Announces Release of PGP Desktop 8.0.3 Reply-To: Philodox Clips [EMAIL PROTECTED] Sender: [EMAIL PROTECTED]

Certicom Sells Licensing Rights to NSA

2003-11-12 Thread R. A. Hettinga
--- begin forwarded text Status: U Date: Fri, 24 Oct 2003 11:44:39 -0400 To: Philodox Clips [EMAIL PROTECTED] From: R. A. Hettinga [EMAIL PROTECTED] Subject: Certicom Sells Licensing Rights to NSA Reply-To: Philodox Clips [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] List-Subscribe:

'Smart stamps' next in war on terrorism

2003-11-12 Thread R. A. Hettinga
http://dynamic.washtimes.com/print_story.cfm?StoryID=20031026-124606-8419r The Washington Times www.washingtontimes.com 'Smart stamps' next in war on terrorism By Audrey Hudson Published October 26, 2003 Sending an anonymous love letter or an angry note to your congressman? The U.S. Postal

New info on Palladium

2003-11-12 Thread Anonymous
For some updated news about NGSCB, aka Palladium, go to the Microsoft NGSCB newsgroup page at http://communities.microsoft.com/newsgroups/default.asp?icp=ngscbslcid=us. This might be a good forum for cypherpunks to ask questions about Palladium. There was a particularly informative posting by