It's utterly baffling to me why people like this choose to design
their own thing rather than just using SSL.
Totally agree. At this point in time, if it's a TCP based protocol
and it isn't built on SSL/TLS, it should pretty much be treated
as snake oil, I'd say. Perhaps some kind of
The framework, however, generally provides insecure cookies.
No I'm confused. First you said it doesn't make things like the
session-ID available, and I posted a URL to show otherwise. Now you're
saying it's available but insecure?
/r$
--
Rich Salz Chief Security
/groups?dq=hl=enlr=ie=UTF-8threadm=bj9mos%242tbt%241%40FreeBSD.csie.NCTU.edu.twprev=/groups%3Fgroup%3Dmailing.openssl.users
/r$
--
Rich Salz, Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com
On Fri, Sep 05, 2003 at 04:05:07PM -0400, Rich Salz wrote:
It is the first *source code* certification.
The ability to do this runs counter to my understanding of FIPS 140-2.
Sure, that's why it's *the first.* They have never done this before,
and it is very different to how
stolen. You don't
know that for software.
/r$
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
XML Security Overview http://www.datapower.com/xmldev
And 'the public' doesn't include people like government level attackers?
People like cryptography experts? People who like to play with things like
this?
No it doesn't. *It's not in the threat model.*
/r$
--
Rich Salz, Chief Security Architect
DataPower Technology
.
The bytestream above is already bidirectional.
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
a number on a web page, and then they call you and you key in
the number. They were founded in 1999; not sure if they're still active.
/r$
--
Rich Salz, Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http
on deciding what to call this
library that is to-be-written, and how to license this library that is
to-be-written, that time should be spent on, well, writing it. :)
/r$
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML
now.
That draft has been replaced by the UUID/URN draft that I mentioned.
It includes all of the original text. Actually, I rewrote most of it
so it reads better now. It's actually in the final comment period and
should show up as an official RFC in few weeks.
/r$
--
Rich Salz
note,
what current patent/trademark issues have people run across with the
algorithms mentioned above?
Well, for the ones you mentioned, RSA and 3DES are unencumberd.
RC4 is a trademark owned by RSA Data Security. So don't violate their
trademark.
/r$
--
Rich Salz Chief
using XML DSIG and
Encryption.
But hey, ya gotta start somewhere.
/r$
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
XML Security Overview http
management, etc., is pretty good. (Having them tied to the key database,
and having the keys be unlocked while making cert requests, are both
real bad ideas, however.)
/r$
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML
-server, not per-query, you could easily
set up an international free service on a big piece of iron.
/r$
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
XML Security
attribute is no big deal. With any luck,
the new year will bring the analogy SOAP::other middleware as SAML::x.509 :)
/r$
--
Rich Salz, Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com
(er, Kerberos inter-realm) flows. After all, there's only not
many ways to do secure online trusted third-party authentication.
/r$
--
Rich Salz, Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com
with it? Once you see that a cert has expired,
there's no need whatsoever to go look at the CRL. The point of a CRL is
to revoke certificates prior to their expiration.
/r$
--
Rich Salz, Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML
two MSFT certificates:
In the future, VRSN patches will be issued as MSFT
software updates.
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
XML Security
virtually any kind of
electronic record, free from dependence on any specific hardware or
software. (http://www.archives.gov/electronic_records_archives/index.html)
--
Rich Salz, Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http
$
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
secure then SET ever was. Since
it wasn't a CCard transacdtion, my liability under SET was unlimited (at
least until Congress caught up to the technology). Looking at the risk
management aspect, SET was a big loser for the customer.
/r$
--
Rich Salz Chief Security
.
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
I've been trying to study Kerberos' design history in the recent past
and have failed to come up with a good resource that explains why things
are built the way they are.
http://web.mit.edu/kerberos/www/dialogue.html
/r$
period
for this document will be 30 days, ending on November 1st, 2004.
Please direct all comments and questions to Matthew J. Fanto at
[EMAIL PROTECTED]
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http
* Canon laser engine
generated a unique microprint signature that could be traced back to a
particular device. OEMs could buy the engine with or without the
signature. If so, this has been going on, surruptitiously, for years.
/r$
--
Rich Salz Chief Security Architect
as a line of
defense to screen out outsiders, rather than hold insiders liable.
Loosly coupled, tightly contracted.
/r$
--
Rich Salz, Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products
to implement XML processing to do
XML Digital Signatures
The others are just blowing smoke, or proof by snarkiness. :)
/r$
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com
are fundamentally broken. :)
/r$
--
Rich Salz, Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
-
The Cryptography
I think that by eliminating the need for a merchant to learn
information about your identity I have aimed higher. Given that we're
talking about credit instruments,
Wasn't that a goal of SET?
/r$
--
Rich Salz Chief Security Architect
DataPower Technology http
merchants they would for the time being treat SSL as card-present,
in terms of fraud penalties, etc. If this is true (anyone here verify?
My source is on the list if s/he wants to name themselves), then SSL/SET
is an interesting example of betting on both sides.
/r$
--
Rich Salz
Is it possible for two web sites to arrange for cross
logins?
Check out SAML, esp the browser artifact profile.
/r$
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products
a license for part of the Certicom patents.
I am sure that I'm not alone.
/r$
--
Rich Salz, Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
32 matches
Mail list logo