Re: $90 for high assurance _versus_ $349 for low assurance

At 9:24 PM + 3/11/05, Ian G wrote: >Does anyone have a view on what "low" and "high" means in this >context? Indeed, what does "assurance" mean? :-) By what market price, of course. Verisign is more well known to the average schmuck than godaddy is, and, apparently, the average schmuck fork

Re: $90 for high assurance _versus_ $349 for low assurance

>Does anyone have a view on what "low" and "high" means in this >context? Indeed, what does "assurance" mean? Just last week I was trying to figure out what the difference was between a StarterSSL certificate for $35 (lists at $49 but you might as well sign up for the no-commitment reseller price

Re: comments wanted on gbde

-- I can see no faults in gbde other than that it is too clever by half. The implementor imagined various vaguely imagined complicated attacks, and put in all sorts of overly clever stuff to defeat them. Let us stick with the threat model where the bad guys kick down your door and yank you

Encryption plugins for gaim

Given what may or may not be recent ToS changes to the AIM service, I've recently been looking into encryption plugins for gaim. Specifically, I note gaim-otr, authored by Ian G, who's on this list. Ian - would you care to share some insights on this? Is it ready for prime time or just a proof-o

RE: Colliding X.509 Certificates

Hi Joerg, > My concern is not MD5, its SHA-1. I don't see that we can get rid of > SHA-1 in certificates in the next 5 years: > * None of the alternatives is widely implemented today. > * For controlled environments like in-house applications you might be > able to switch earlier (0-2 years). >

PK -> OTP?

My educated-layman's opinion is that the following is not feasible, but I'd be happy to be shown wrong ... Given a closed public-key device such as a typical smart card with its limited set of operations (chiefly "sign"), is it possible to implement a challenge/response function such that * Bo

Do You Need a Digital ID?

PCWorld.com - Topics > Privacy & Security > Online Security > Do You Need a Digital ID? Security experts debate new ways to curb identity theft and boost e-commerce. Scarlet Pruitt, IDG News Service Friday, March 11,

Re: I'll show you mine if you show me, er, mine

- Original Message - From: "James A. Donald" <[EMAIL PROTECTED]> To: ; <[EMAIL PROTECTED]> Sent: Wednesday, March 09, 2005 4:25 AM [...] > > > However, techniques that establish that the parties share a > > > weak secret without leaking that secret have been around > > > for years -- Bello

RE: I'll show you mine if you show me, er, mine

James A. Donald said: >There seem to be a shitload of protocols, in addition to SPEKE >and DH-EKE ... >Can anyone suggest a well reviewed, unpatented, protocol that >has the desired properties? Unpatented will be your biggest hurdle. I collaborated on the development of a strong password proto

Security is the bits you disable before you ship

>From a news.com story about features of gcc 4.0, available at http://news.com.com/Key+open-source+programming+tool+due+for+overhaul/2100-7344_3-5615886.html Key open-source programming tool due for overhaul Published: March 14, 2005, 10:46 AM PST By Stephen Shankland Staff Writer, CNET Ne

ocf-linux-20050315 - Asynchronous Crypto support for linux (fwd from [EMAIL PROTECTED])

From: David McCullough <[EMAIL PROTECTED]> Subject: ocf-linux-20050315 - Asynchronous Crypto support for linux To: [EMAIL PROTECTED], linux-kernel@vger.kernel.org Cc: Andrew Morton <[EMAIL PROTECTED]>, James Morris <[EMAIL PROTECTED]>, Herbert Xu <[EMAIL PROTECTED]>

Re: $90 for high assurance _versus_ $349 for low assurance

Ian G <[EMAIL PROTECTED]> writes: >In the below, John posted a handy dandy table of cert prices, and Nelson >postulated that we need to separate high assurance from low assurance. >Leaving aside the technical question of how the user gets to see that for >now, note how godaddy charges $90 for thei

Re: $90 for high assurance _versus_ $349 for low assurance

Ian G <[EMAIL PROTECTED]> writes: >Or is this merely a distinction in adspace only? Just a way to separate more >dollars from Alice? It's a distinction in adspace only, in the same way that you're expected to think that a $200 DVD play from Sony Corp is better than a $40 player from Foo Yuk Corp

Re: Encryption plugins for gaim

Adam Fields wrote: Given what may or may not be recent ToS changes to the AIM service, I've recently been looking into encryption plugins for gaim. Specifically, I note gaim-otr, authored by Ian G, who's on this list. Just a quick note of clarification, there is a collision in the name Ian G. 4

Re: Security is the bits you disable before you ship

In message <[EMAIL PROTECTED]>, Peter Gutmann writes : >>From a news.com story about features of gcc 4.0, available at >http://news.com.com/Key+open-source+programming+tool+due+for+overhaul/2100-734 >4_3-5615886.html > > Key open-source programming tool due for overhaul > Published: March 14, 200

Re: $90 for high assurance _versus_ $349 for low assurance

On Wed, Mar 16, 2005 at 02:23:49AM +1300, Peter Gutmann wrote: > Certainly with UIXC it's not worth anything. > What is UIXC? -- /"\ ASCII RIBBON NOTICE: If received in error, \ / CAMPAIGN Victor Duchovni please destroy and notify X AGAINST IT Security, sen

Re: Encryption plugins for gaim

On Mon, Mar 14, 2005 at 01:19:04AM -0500, Adam Fields wrote: > Given what may or may not be recent ToS changes to the AIM service, > I've recently been looking into encryption plugins for gaim. > > Specifically, I note gaim-otr, authored by Ian G, who's on this list. > > Ian - would you care to

Crack in Computer Security Code Raises Red Flag

The Wall Street Journal March 15, 2005 PAGE ONE Crack in Computer Security Code Raises Red Flag Obscure but Worrying Flaw Compromises 'Fingerprint' Widely Used on Internet By CHARLES FORELLE Staff Reporter of THE WALL