Re: Encryption plugins for gaim

2005-03-20 Thread Peter Saint-Andre
On Tue, Mar 15, 2005 at 02:14:48PM -0500, Ian Goldberg wrote: OTR works over Jabber today. Granted, it's not very Jabberish (as far as I understand the term; I don't know the Jabber protocol very well): it just replaces the text of the message with ciphertext. [gaim, at least, doesn't seem

Re: Cross logins

2005-08-04 Thread Peter Saint-Andre
Rich Salz wrote: Is it possible for two web sites to arrange for cross logins? Check out SAML, esp the browser artifact profile. Check out Passel, which lacks the complexity of SAML: http://www.passel.org/ Peter smime.p7s Description: S/MIME Cryptographic Signature

Re: Another entry in the internet security hall of shame....

2005-08-24 Thread Peter Saint-Andre
(or if you've connected via SSL on the old-style port 5223). Decide for yourself if that's secure and whether the iChat warning is justified. Peter -- Peter Saint-Andre Jabber Software Foundation http://www.jabber.org/people/stpeter.shtml smime.p7s Description: S/MIME Cryptographic Signature

Re: Another entry in the internet security hall of shame....

2005-08-25 Thread Peter Saint-Andre
by Microsoft. Personally, I find CAcert to be an interesting experiment in webs of trust. Peter -- Peter Saint-Andre Jabber Software Foundation http://www.jabber.org/people/stpeter.shtml smime.p7s Description: S/MIME Cryptographic Signature

Re: Another entry in the internet security hall of shame....

2005-08-26 Thread Peter Saint-Andre
in that (or any other) case if you've got a client-server architecture. Granted, e2e security is also desirable. Peter -- Peter Saint-Andre Jabber Software Foundation http://www.jabber.org/people/stpeter.shtml smime.p7s Description: S/MIME Cryptographic Signature

Re: Another entry in the internet security hall of shame....

2005-08-26 Thread Peter Saint-Andre
Alaric Dailey wrote: I am aware of Jabbers support for GPG/PGP, but did I miss their support for user certificates? I have seen no indication of such support, what client supports it? RFC 3923. But no clients support that yet to my knowledge. Peter smime.p7s Description: S/MIME

Re: Another entry in the internet security hall of shame....

2005-08-26 Thread Peter Saint-Andre
and it doesn't support perfect forward security etc. Another possible approach being discussed is here: http://www.jabber.org/jeps/jep-0116.html Peter -- Peter Saint-Andre Jabber Software Foundation http://www.jabber.org/people/stpeter.shtml smime.p7s Description: S/MIME Cryptographic Signature

Re: e2e all the way (Re: Another entry in the internet security hall of shame....)

2005-08-26 Thread Peter Saint-Andre
Adam Back wrote: Well I think security in IM, as in all comms security, means security such that only my intended recipients can read the traffic. (aka e2e security). I don't think the fact that you personally don't care about the confidentiality of your IM messages should argue for not doing

Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-02-28 Thread Peter Saint-Andre
bear wrote: On Fri, 24 Feb 2006, Peter Saint-Andre wrote: Personally I doubt that anything other than a small percentage of email will ever be signed, let alone encrypted (heck, most people on this list don't even sign their mail). I don't think I've said anything here that I

Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-03-08 Thread Peter Saint-Andre
+ SASL-EXTERNAL if you want true server-to-server authentication). So I'd say the abuse and identity problems are not as bad in IM (at least the IM technology I'm familiar with) as in email. But you'd hope that we've learned a thing or two since email was invented. ;-) Peter -- Peter Saint-Andre

Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-03-08 Thread Peter Saint-Andre
Saint-Andre Jabber Software Foundation http://www.jabber.org/people/stpeter.shtml smime.p7s Description: S/MIME Cryptographic Signature

Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-03-08 Thread Peter Saint-Andre
Victor Duchovni wrote: On Wed, Mar 08, 2006 at 12:53:16PM -0700, Peter Saint-Andre wrote: These are closed systems that compete with each other, once they become federated, they can no longer compete on end-to-end security, because that is a property of the interoperability framework

Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-03-20 Thread Peter Saint-Andre
Ian G wrote: Chris Palmer wrote: Peter Saint-Andre writes: http://www.saint-andre.com/blog/2006-02.html#2006-02-27T22:13 3. I see on your site you use and advertise for CACert. I hope CACert's signing cert(s) are never trusted by my browser, because then my browser would trust any cheap

Re: SSL Cert Prices Notes

2006-08-10 Thread Peter Saint-Andre
FreeFreeFree Have you looked at StartCom? https://cert.startcom.org/ Peter -- Peter Saint-Andre Jabber Software Foundation http://www.jabber.org/people/stpeter.shtml smime.p7s Description: S/MIME Cryptographic Signature

Re: Failure of PKI in messaging

2007-02-15 Thread Peter Saint-Andre
to come up with human interfaces to these systems that actually allow them to work effectively in the human world. So how do we abstract from or extend what (somewhat) works in the real world to something that might work in the online world? Peter -- Peter Saint-Andre XMPP Standards Foundation http

Re: SSL certificates for SMTP

2007-05-24 Thread Peter Saint-Andre
established a dedicated Intermediate Certification Authority for issuing digital certificates to admins of XMPP servers: https://www.xmpp.net/ Peter -- Peter Saint-Andre XMPP Standards Foundation http://www.xmpp.org/xsf/people/stpeter.shtml smime.p7s Description: S/MIME Cryptographic

Re: Strength in Complexity?

2008-08-04 Thread Peter Saint-Andre
[EMAIL PROTECTED] wrote: With the caveat that I am reading mail in reverse order (i.e., panic-mode), I do have to say one thing and it isn't even to mount a stirring defense of Kerberos, which does not need defending anyhow... The design space for practical network security has always been:

security questions

2008-08-06 Thread Peter Saint-Andre
Wells Fargo is requiring their online banking customers to provide answers to security questions such as these: *** What is name of the hospital in which your first child was born? What is your mother's birthday? (MMDD) What is the first name of your first roommate in college? What is the name

Re: security questions

2008-08-06 Thread Peter Saint-Andre
Chris Kuethe wrote: On Wed, Aug 6, 2008 at 8:23 AM, Peter Saint-Andre [EMAIL PROTECTED] wrote: Wells Fargo is requiring their online banking customers to provide answers to security questions such as these: *** ... *** It strikes me that the answers to many of these questions might be public

Re: security questions

2008-08-07 Thread Peter Saint-Andre
Stefan Kelm wrote: Wells Fargo is requiring their online banking customers to provide answers to security questions such as these: Does Wells Fargo really use the term security question here? Yes it does. I'm a Wells Fargo customer and I had to set my security questions yesterday in order

Re: X.509 certificate overview + status

2009-03-03 Thread Peter Saint-Andre
/ The root CA is StartCom, which is accepted in Mozilla, OS X, and various other cert stores. I've noticed that these certs are becoming quite popular on the XMPP network (plus, they result none of those cert warnings that scare of normal users). /plug Peter -- Peter Saint-Andre https

Re: [Cryptography] Email and IM are ideal candidates for mix networks

2013-08-26 Thread Peter Saint-Andre
-- I'll post more soon. Peter -- Peter Saint-Andre https://stpeter.im/ ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Email and IM are ideal candidates for mix networks

2013-08-27 Thread Peter Saint-Andre
stuff is happening now (LinkedIn and the like). In a way the old-fashioned letter of introduction had a lot to recommend it. :-) Peter -- Peter Saint-Andre https://stpeter.im/ ___ The cryptography mailing list cryptography@metzdowd.com http

Re: [Cryptography] Email and IM are ideal candidates for mix networks

2013-08-27 Thread Peter Saint-Andre
, but secure technologies for individuals. Peter -- Peter Saint-Andre https://stpeter.im/ ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Implementations, attacks on DHTs, Mix Nets?

2013-08-27 Thread Peter Saint-Andre
-wouters-dane-otrfp/ Peter -- Peter Saint-Andre https://stpeter.im/ ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Keeping backups (was Re: Separating concerns

2013-08-31 Thread Peter Saint-Andre
idea of a network of friends (maybe it's because I've worked on Jabber for so long, but I like the idea of leveraging your buddy list for many interesting features, including data backup and mix networking). Peter -- Peter Saint-Andre https://stpeter.im

Re: [Cryptography] People should turn on PFS in TLS (was Re: Fwd: NYTimes.com: N.S.A. Foils Much Internet Encryption)

2013-09-06 Thread Peter Saint-Andre
and deployments? Thanks! Peter - -- Peter Saint-Andre https://stpeter.im/ -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net

Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-08 Thread Peter Saint-Andre
for voice, video, file transfer, etc. And such relays might just live on those little home devices that Perry is talking about, separate from the cloud. Peter - -- Peter Saint-Andre https://stpeter.im/ -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) Comment: GPGTools

Re: [Cryptography] Usage models (was Re: In the face of cooperative end-points, PFS doesn't help)

2013-09-08 Thread Peter Saint-Andre
with the usage pattern almost everyone has gotten used to. It cannot be done with the existing cloud model, though -- the user needs to own the box or we can't simultaneously maintain current protocols (and thus current clients) and current usage patterns. I very much agree. Peter - -- Peter Saint