Arshad Noor [EMAIL PROTECTED] writes:
Ben Laurie wrote:
As such, I'm not seeing much value.
That may be because you are a cryptographer. If you were the CSO, an
Operations Director, or an Application Developer in a company that had
to manage encryption keys for 5,000 POS Terminals, 10,000
On Sun, 3 Aug 2008, Arshad Noor wrote:
A more optimistic way of putting this, Ben, is to state that EKMI allows
domain-experts of underlying components to address the complex issues of
their domain in ways that they deem best, while providing value on top
of those components. I see no reason to
On Aug 3, 2008, at 13:54, Alexander Klimov wrote:
If your p-value is smaller than the significance level (say, 1%)
you should repeat the test with different data and see if the
test persistently fails or it was just a fluke.
Or better still, make many tests and see if your p-values are
On Mon, 4 Aug 2008, Stephan Neuhaus wrote:
Or better still, make many tests and see if your p-values are
uniformly distributed in (0,1). [Hint: decide on a p-value for that
last equidistribution test *before* you compute that p-value.]
Of course, there are many tests for goodness of fit
Perry E. Metzger wrote:
There are existing deployed solutions like Kerberos that scale far
beyond that and work just fine, and actually address all the things
this protocol seems to leave as an exercise to the reader. And yes,
they're in use in real companies at gigantic scales. (Indeed,
Cat Okita wrote:
... or in other words, EKMI leaves all of the hard/impossible problems
to be solved by somebody else. I'd have to agree with Ben that I'm
not seeing the value add of an additional layer of complexity.
I view EKMI as using the best tools the cryptographic community has to
Arshad Noor [EMAIL PROTECTED] writes:
That said, Kerberos clearly has the benefit of 20+ years of research
and use in the field. However, there are two fundamental differences
between SKSML and Kerberos, IMHO:
1) The design goals for Kerberos were very different from SKSML. The
former
Perry E. Metzger wrote:
That said, kerberos tickets can persist even in the face of
disconnects, so once you've connected tickets can survive as long as
you wish.
But, can the tickets be used for anything useful when the
network does not exist?
I agree that when the network comes back, the
With the caveat that I am reading mail in
reverse order (i.e., panic-mode), I do have
to say one thing and it isn't even to mount a
stirring defense of Kerberos, which does not
need defending anyhow...
The design space for practical network security
has always been:
I'm OK
You're OK
Arshad Noor [EMAIL PROTECTED] writes:
Perry E. Metzger wrote:
That said, kerberos tickets can persist even in the face of
disconnects, so once you've connected tickets can survive as long as
you wish.
But, can the tickets be used for anything useful when the
network does not exist?
If you
Perry E. Metzger wrote:
Arshad Noor [EMAIL PROTECTED] writes:
- after all people didn't really need DBMS's 30 years
ago because they could do all the data-management operations
inside each application quite well, thank you!
I think that comparing the advance SQL made with SKMS seems a bit
[EMAIL PROTECTED] writes:
The design space for practical network security
has always been:
I'm OK
You're OK
The Internet is a problem
A gathering storm of compromised machines, now
variously estimated in the 30-70% range depending
on with whom you are talking, means that the
Tim Hudson [EMAIL PROTECTED] writes:
I think that Arshad's point here is an argument that externalising
key management handling from normal application logic is a valid one
but that it is also equally applicable to existing Kerberos
environments.
I don't think a point beyond externalisation
Perry E. Metzger wrote:
SKMS is vaporware that leaves all
the hard parts of the specification out.
An open-source implementation has been available for 2 years.
A new version will be available next year that will implement
the current OASIS draft and whatever useful comments the
Public Review
[EMAIL PROTECTED] wrote:
With the caveat that I am reading mail in
reverse order (i.e., panic-mode), I do have
to say one thing and it isn't even to mount a
stirring defense of Kerberos, which does not
need defending anyhow...
The design space for practical network security
has always been:
15 matches
Mail list logo
