Re: dual-use digital signature vulnerability

At 08:08 PM 7/18/2004, Sean Smith wrote: Why isn't it sufficient? (Quick: when was the last time anyone on this list authenticated by signing unread random data?) The way the industry is going, user keypairs live in a desktop keystore, and are used for very few applications. I'd bet the vast

Re: Using crypto against Phishing, Spoofing and Spamming...

(Eric Rescorla wrote in response to Ian Grigg)^2: ... (4) Active attacks against the client. By this I mean hacking the client, installing a virus, malware, spyware or whathaveyou. (This is now real, folks.) (5) Active attacks against the server. Basically, ... Of course, SSL/SB doesn't

Re: dual-use digital signature vulnerability

| the issue in the EU FINREAD scenario was that they needed a way to | distinguish between (random) data that got signed ... that the key owner | never read and the case were the key owner was actually signing to | indicate agreement, approval, and/or authorization. They specified a | FINREAD

Re: dual-use digital signature vulnerability

At 08:25 AM 7/19/2004, Jerrold Leichter wrote: A traditional "notary public", in modern terms, would be a tamper-resistant device which would take as inputs (a) a piece of text; (b) a means for signing (e.g., a hardware token). It would first present the actual text that is being signed to the par

RE: dual-use digital signature vulnerability

About using a signature key to only sign contents presented in a meaningful way that the user supposedly read, and not random challenges: The X.509 PoP (proof-of-possession) doesn't help things out, since a public key certificate is given to a user by the CA only after the user has demonstrated t

Re: dual-use digital signature vulnerability

| note that some of the online click-thru "contracts" have been making | attempt to address this area; rather than simple "i agree"/"disagree" | buttons ... they put little checkmarks at places in scrolled form you | have to at least scroll thru the document and click on one or more | checkmar

Re: Using crypto against Phishing, Spoofing and Spamming...

In message <[EMAIL PROTECTED]>, Ian Grigg writes: >> >> Don't be silly. It's not a threat because people generally use >> SSL. Back in the old days, password capture was a very serious >> threat. It went away with SSH. It seems to me quite likely that >> it would be a problem with web browsing in

Re: New Attack on Secure Browsing

On 15 Jul 2004, at 9:36 PM, Aram Perez wrote: I'm not sure if PGP deliberately set out to confuse naïve users since their logo has been the padlock for a while. Many web sites have their logo displayed on the address bar (and tab) when you go to there site, see http://www.yahoo.com or http://www.g

Re: Using crypto against Phishing, Spoofing and Spamming...

Steve, thanks for addressing the issues with some actual anecdotal evidence. The conclusions still don't hold, IMHO. Steven M. Bellovin wrote: In message <[EMAIL PROTECTED]>, Ian Grigg writes: Right... It's easy to claim that "it went away" because we protected against it. Unfortunately, that's

EZ Pass followup.

This may be of interest to the folks discussing EZ pass. On ne.transportation, there is a thread regarding the subject, titled: Surveillance Equipment on I-95? The most interesting post follows. Peter Trei From: [EMAIL PROTECTED] "John F. Carr" wrote: > In artic

Cryptography and the Open Source Security Debate

osViews | osOpinion Cryptography and the Open Source Security Debate Articles / Security Date: Jul 20, 2004 - 01:03 AM Contributed by: Daniel R. Miessler :: Open Content If you follow technology trends, you're probably aware of the two schools o

Production Of High-fidelity Entangled Photons Exceeds 1 Million Per Second

Source: University Of Illinois At Urbana-Champaign Date: 2004-07-20 URL: http://www.sciencedaily.com/releases/2004/07/040720085840.htm Production Of High-fidelity Entangled Photons Exceeds 1 Million Per Second CHAM

Re: dual-use digital signature [EMAIL PROTECTED]

On Jul 19, 2004, at 11:40 AM, Anton Stiglic wrote: The X.509 PoP (proof-of-possession) doesn't help things out, since a public key certificate is given to a user by the CA only after the user has demonstrated to the CA possession of the corresponding private key by signing a challenge. I suspect

Re: Using crypto against Phishing, Spoofing and Spamming...

I'm perhaps a bit overly blunt in this message. I apologize for that, but I don't really know how to be more subtle and still get across my message. Ian Grigg <[EMAIL PROTECTED]> writes: > Steven M. Bellovin wrote: >>>But, there is precious little to suggest that >>>credit cards would be sniffed

Re: Using crypto against Phishing, Spoofing and Spamming...

At 01:54 PM 7/19/2004, Steven M. Bellovin wrote: It's also worth remembering that an SSL-like solution -- cryptographically protecting the transmission of credit card number, instead of digitally signing a funds transfer authorization linked to some account -- was more or less the only thing possib