Re: delegating SSL certificates

2008-03-16 Thread Peter Gutmann
[EMAIL PROTECTED] writes: I would think this would be rather common, and I may have heard about certs that had authority to sign other certs in some circumstances... The desire to do it isn't uncommon, but it runs into problems with PKI religious dogma that only a CA can ever issue a

Re: delegating SSL certificates

2008-03-16 Thread Ben Laurie
[EMAIL PROTECTED] wrote: So at the company I work for, most of the internal systems have expired SSL certs, or self-signed certs. Obviously this is bad. You only think this is bad because you believe CAs add some value. SSH keys aren't signed and don't expire. Is that bad? --

Re: RNG for Padding

2008-03-16 Thread William Allen Simpson
We had many discussions about this 15 years ago You usually have predictable plaintext. A cipher that isn't strong enough against a chosen/known plaintext attack has too many other protocol problems to worry about mere padding! For IPsec, we originally specified random padding with 1

Re: cold boot attacks on disk encryption

2008-03-16 Thread The Fungi
On Sat, Feb 23, 2008 at 05:09:29AM +1300, Peter Gutmann wrote: There were commercial products that did this available some years ago, they hooked into the Windows auth using a custom GINA DLL (GINA = the Windows extensible login/authentication mechanism, think PAM for Windows) and locked the

Re: delegating SSL certificates

2008-03-16 Thread John Levine
So at the company I work for, most of the internal systems have expired SSL certs, or self-signed certs. Obviously this is bad. You only think this is bad because you believe CAs add some value. Presumably the value they add is that they keep browsers from popping up scary warning messages.

Re: delegating SSL certificates

2008-03-16 Thread Dirk-Willem van Gulik
On Mar 16, 2008, at 12:32 PM, Ben Laurie wrote: [EMAIL PROTECTED] wrote: So at the company I work for, most of the internal systems have expired SSL certs, or self-signed certs. Obviously this is bad. You only think this is bad because you believe CAs add some value. SSH keys aren't

Re: [mm] delegating SSL certificates

2008-03-16 Thread Ben Laurie
Dirk-Willem van Gulik wrote: So I'd argue that while x509, its CA's and its CRL's are a serious pain to deal** with, and seem add little value if you assume avery diligent and experienced operational team -- they do provide a useful 'procedural' framework and workflow-guide which is in itself