Re: Dutch Transport Card Broken

2008-02-10 Thread James A. Donald
Steven M. Bellovin wrote: There's another issue: initial account setup. [Even with SRP] people will still need to rely on certificate-checking for that. It's a real problem at some hotspots, where Evil Twin attacks are easy and lots of casual users are signing up for the first time. For

Re: Fixing SSL (was Re: Dutch Transport Card Broken)

2008-02-10 Thread Leichter, Jerry
| By the way, it seems like one thing that might help with client certs | is if they were treated a bit like cookies. Today, a website can set | a cookie in your browser, and that cookie will be returned every time | you later visit that website. This all happens automatically. Imagine | if a

Re: Fixing SSL (was Re: Dutch Transport Card Broken)

2008-02-10 Thread Anne Lynn Wheeler
re: http://www.garlic.com/~lynn/aadsm28.htm#30 Fixing SSL so lots of the AADS http://www.garlic.com/~lynn/x959.html#aads scenarios are that every place a password might appear, have a public key instead. for various of the cookie authentication operations ... also think kerberos tickets.

Re: TLS-SRP TLS-PSK support in browsers (Re: Dutch Transport Card Broken)

2008-02-10 Thread Ian G
Peter Gutmann wrote: Victor Duchovni [EMAIL PROTECTED] writes: While Firefox should ideally be developing and testing PSK now, without stable libraries to use in servers and browsers, we can't yet expect anything to be released. Is that the FF devlopers' reason for holding back? Just

Re: Toshiba shows 2Mbps hardware RNG

2008-02-10 Thread Bill Stewart
At 07:02 PM 2/9/2008, Peter Gutmann wrote: I've always wondered why RNG speed is such a big deal for anything but a few highly specialised applications. For security use you've got two options: 1. Use it with standard security protocols, in which case you need all of 128 or so bits every now

Re: TLS-SRP TLS-PSK support in browsers (Re: Dutch Transport Card Broken)

2008-02-10 Thread Werner Koch
On Thu, 7 Feb 2008 16:37, [EMAIL PROTECTED] said: I don't have any idea why or why not, but all they can release now is source code with #ifdef openssl = 0.9.9 ... do PSK stuff ... #endif, The last time I checked the Mozilla code they used their own crypto stuff. When did they switched to