Re: browser vendors and CAs agreeing on high-assurance certificates

2005-12-23 Thread Peter Gutmann
James A. Donald [EMAIL PROTECTED] writes: But is what they are doing wrong? The users? No, not really, in that given the extensive conditioning that they've been subject to, they're doing the logical thing, which is not paying any attention to certificates. That's why I've been taking the

2005 in review - The Year I lost my Identity

2005-12-23 Thread Peter Gutmann
Ian Grigg's blog has a neat tongue-in-cheek review of the year in security. Here's a sample: Browser manufacturers have moved slightly faster than your average glacier. Microsoft moved forward by announcing that phishing was a browser problem (Mozilla and KDE followed 8 months later), and

Re: A small editorial about recent events.

2005-12-23 Thread dan
You know, as a security person, I say all the time that the greatest threat is internal threat, not external threat. In my day job, I/we make surveillance tools to prevent data threat from materializing, and to quench it if it does anyhow. I tell clients all day every day that when the opponent

Re: A small editorial about recent events.

2005-12-23 Thread Daniel F. Fisher
David G. Koontz wrote: Yet President Bush as publicly stated it requires a court order to wiretap: Secondly, there are such things as roving wiretaps. Now, by the way, any time you hear the United States government talking about wiretap, it requires -- a wiretap requires a court order.

Re: RNG quality verification

2005-12-23 Thread Peter Gutmann
Philipp =?utf-8?q?G=C3=BChring?= [EMAIL PROTECTED] writes: What is wrong with the following black-box test? * Open browser * Go to a dummy CA's website * Let the browser generate a keypair through the keygen or cenroll.dll * Import the generated certificate * Backup the certificate together with

Re: RNG quality verification

2005-12-23 Thread Philipp G├╝hring
Hi Peter, Easily solveable bureaucratic problems are much simpler than unsolveable mathematical ones. Perhaps there is some mis-understanding, but I am getting worried that the common conception seems to be that it is an unsolveable problem. What is wrong with the following black-box test?

Re: browser vendors and CAs agreeing on high-assurance certificat es

2005-12-23 Thread leichter_jerrold
| | But is what they are doing wrong? | | | | The users? No, not really, in that given the extensive conditioning that | | they've been subject to, they're doing the logical thing, which is not paying | | any attention to certificates. That's why I've been taking the (apparently | | somewhat

Standard ways of PKCS #8 encryption without PKCS #5?

2005-12-23 Thread Jack Lloyd
Does anyone know of any 'standard' [*] ways of encrypting private keys in the usual PKCS #8 format without using password-based encryption? It is obviously not hard to do, as you can stick whatever you like into the encryptionAlgorithm field, so it would be easy to specify an plain encryption

Re: browser vendors and CAs agreeing on high-assurance certificates

2005-12-23 Thread David Mercer
On 12/23/05, Peter Gutmann [EMAIL PROTECTED] wrote: PKI in browsers has had 10 years to start working and has failed completely, how many more years are we going to keep diligently polishing away before we start looking at alternative approaches? There have been several long threads over on

Re: RNG quality verification

2005-12-23 Thread Steven M. Bellovin
In message [EMAIL PROTECTED], Philipp =?utf-8?q?G=C3=BChrin g?= writes: Hi Peter, Easily solveable bureaucratic problems are much simpler than unsolveable mathematical ones. Perhaps there is some mis-understanding, but I am getting worried that the common conception seems to be that it is an

Re: browser vendors and CAs agreeing on high-assurance certificat es

2005-12-23 Thread Ian G
BTW, illustrating points made here, the cert is for financialcryptography.com but your link was to www.financialcryptography.com. So of course Firefox generated a warning Indeed and even if that gets fixed we still have to contend with: * the blog software can't handle the nature

Re: A small editorial about recent events.

2005-12-23 Thread Chris Palmer
[EMAIL PROTECTED] writes: You know, as a security person, I say all the time that the greatest threat is internal threat, not external threat. In my day job, I/we make surveillance tools to prevent data threat from materializing, and to quench it if it does anyhow. I tell clients all day