Re: [cryptography] Quantum crypto and the world cup

2010-06-22 Thread Ian G
The security world in general (including crypto) is far more sensitive than it ought to be to mass media. This is primarily because security is an information-asymmetric or information-poor world. Which is to say, as a society, we simply don't know enough how to do this thing called security.

Re: [cryptography] current status of SSL revocation support

2010-08-26 Thread Ian G
On 27/08/10 7:28 AM, travis+ml-rbcryptogra...@subspacefield.org wrote: I got the impression, many years ago, that you couldn't rely on systems to check revocation status, even if the system was online. More or less, this opinion is held by many who've looked closely at the results. Although

Re: [cryptography] key management guidelines

2010-09-03 Thread Ian G
On 4/09/10 4:21 AM, travis+ml-rbcryptogra...@subspacefield.org wrote: It's too bad there isn't a notion of identity seperate from keys. The problem with all this is there is an assumption that we can accurately model an identity in any form. In practice, we can't. In more theoretical term

Re: [cryptography] Definition of Identity (was Re: key management guidelines)

2010-09-04 Thread Ian G
On 5/09/10 3:08 AM, Arshad Noor wrote: Ian G wrote: On 4/09/10 4:21 AM, travis+ml-rbcryptogra...@subspacefield.org wrote: It's too bad there isn't a notion of identity seperate from keys. The problem with all this is there is an assumption that we can accurately model an ident

Re: [cryptography] real world illustrations of Kerckhoff's principle?

2010-09-08 Thread Ian G
On 9/09/10 5:07 AM, Scott G. Kelly wrote: I'd like to create a convincing list of real-world examples of failures involving use of "secret" algorithms. Unfortunately, the result may not be what you were hoping for :) You're probably thinking of Kherckhoffs' *2nd* principle. Back in 1883, h

Re: [cryptography] is there an interation-incremental version of PBKDF2?

2010-09-09 Thread Ian G
On 10/09/10 4:06 AM, travis+ml-rbcryptogra...@subspacefield.org wrote: I understand your point, but I think it's fair to ask "can we do better?" Your implication is, "don't try, don't even discuss trying". I think that's a cop out, intellectually lazy, and boring; but sure, it avoids the risks

Re: [cryptography] real world illustrations of Kerckhoff's principle?

2010-09-09 Thread Ian G
On 10/09/10 3:37 AM, Marsh Ray wrote: On 09/08/2010 06:35 PM, Ian G wrote: As a final footnote; why is K2 so misused? Why does everyone believe that Shannon's maxim means you must never use a secret algorithm? I always figured there were a few reasons: 1. To ensure that the people desi

Re: [cryptography] "stream MAC" - does anything like it exist?

2010-09-17 Thread Ian G
On 17/09/10 4:38 AM, travis+ml-rbcryptogra...@subspacefield.org wrote: Regarding strong authentication... I wonder whether cryptographers couldn't preempt the oncoming strong authentication requirements by implementing practical zero-knowledge systems that allow the user to choose from multiple

Re: [cryptography] philosophical question about strengths and attacks at impossible levels

2010-10-14 Thread Ian G
On 14/10/10 3:56 PM, Zooko O'Whielacronx wrote: In any case, I'm pretty sure that as a *user* of hash functions what I care about is "more likely to fail" (and efficiency), not about "bits of security" for any bit-level greater than about 128 (including consideration of quantum attacks, multi-ta

Re: [cryptography] philosophical question about strengths and attacks at impossible levels

2010-10-15 Thread Ian G
Hi Steven and all, On 16/10/10 1:56 AM, Steven Bellovin wrote: There are many possible answers to your query -- including, of course, "you're right" -- but maybe we should be a little bit more charitable. Maybe, in fact, they're right. I think one of the flaws in all this is the old "w

[cryptography] NSA's position in the dominance stakes

2010-11-15 Thread Ian G
It used to be said that the NSA employed more mathematicians than the rest of the world put together. This was sort of a comment on their dominance in cryptography. Is this factoid still the case? And, could it be said that the NSA employs more IT Sec people than anyone else? I'm trying to

Re: [cryptography] NSA's position in the dominance stakes

2010-11-15 Thread Ian G
On 16/11/10 9:52 AM, Paul Hoffman wrote: At 9:21 AM +1100 11/16/10, Ian G wrote: It used to be said that the NSA employed more mathematicians than the rest of the world put together. This was sort of a comment on their dominance in cryptography. Is this factoid still the case? And, could

Re: [cryptography] NSA's position in the dominance stakes

2010-11-17 Thread Ian G
On 16/11/10 11:38 AM, Jon Callas wrote: In some places, there's a formal or quasi-formal breakout of who is doing what. For example, in the UK, they have GCHQ and CESG. Even though they're in the same buildings, there's an FLA for each, so you can talk about offense vs. defense. In the US, th

Re: [cryptography] NSA's position in the dominance stakes

2010-11-17 Thread Ian G
On 17/11/10 7:26 AM, David G. Koontz wrote: On 17/11/10 9:01 AM, David G. Koontz wrote: A. US6704870, granted on March 9, 2004 (Yes, published) Sony asserted prior art against this patent in the 2007 case before agreeing Certicom's motion to end the lawsuit, which was granted without pre

Re: [cryptography] philosophical question about strengths and attacks at impossible levels

2010-11-19 Thread Ian G
On 20/11/10 6:26 AM, travis+ml-rbcryptogra...@subspacefield.org wrote: On Sat, Oct 16, 2010 at 12:29:07PM +1100, Ian G wrote: On this I would demure. We do have a good metric: losses. Risk management starts from the business, and then moves on to how losses are effecting that business, which

Re: [cryptography] philosophical question about strengths and attacks at impossible levels

2010-11-19 Thread Ian G
On 20/11/10 2:10 PM, James A. Donald wrote: Ian G wrote: On this I would demure. We do have a good metric: losses. Risk management starts from the business, and then moves on to how losses are effecting that business, which informs our threat model. We now have substantial measureable history

Re: [cryptography] NSA's position in the dominance stakes

2010-11-19 Thread Ian G
On 20/11/10 2:42 PM, James A. Donald wrote: On 2010-11-20 9:35 AM, Jon Callas wrote: > Forgive me, but that is insulting to both judges and > juries. In that particular case, it is easy to defend > because the question is "are you using MQV" and the > answer is no. But the defendant is alwa

Re: [cryptography] patents and stuff (Re: NSA's position in the dominance stakes)

2010-11-20 Thread Ian G
On 21/11/10 2:45 AM, John Levine wrote: By the way, what does all this semi-informed ranting about patents have to do with cryptography? NSA's dominance in security engineering? => example of DES-era crypto dominance => ECC push today means? => patents complication => war of words! Th

Re: [cryptography] philosophical question about strengths and attacks at impossible levels

2010-11-21 Thread Ian G
On 21/11/10 8:37 AM, Marsh Ray wrote: On 11/19/2010 05:39 PM, Ian G wrote: I don't think this qualifies as a bait-and-switch scenario because the originally-advertised functionality (the bait) is still part of the package. :) Bait-and-switch would be more like a salesperson sayin

[cryptography] not trusted

2010-11-22 Thread Ian G
On 21/11/10 11:19 PM, Peter Gutmann wrote: Ian G writes: It sucks so badly, I decided in future that the only moral and ethical way one could use the words encryption or security or the like in any conversation was if the following were the case: there is only one mode, and it is secure

Re: [cryptography] philosophical question about strengths and attacks at impossible levels

2010-11-23 Thread Ian G
On 24/11/10 7:51 AM, travis+ml-rbcryptogra...@subspacefield.org wrote: On what basis do you make the (implicit) assumption that cert privkeys were actually stolen? For me, it would be Preponderance of evidence, or in non-legal terms "more likely than not." Note; I do not claim to have any

Re: [cryptography] AES side channel attack using a weakness in the Linux scheduler

2010-11-26 Thread Ian G
On 25/11/10 3:26 AM, Jack Lloyd wrote: What are people's thoughts on these kinds of local cache attacks, in terms of actual systems security? While obviously very powerful, I tend to think that once you have a focused attacker in an unprivledged account on your machine, you have bigger problems

Re: [cryptography] current digital cash / anonymous payment projects?

2010-12-01 Thread Ian G
On 1/12/10 6:12 AM, travis+ml-rbcryptogra...@subspacefield.org wrote: Can anyone give me a good rundown of the current anonymous payment systems, technologies and/or algorithms? OK, there are some issues here. There is technology, algorithms, patents, techniques, protocols, applications, ser

Re: [cryptography] current digital cash / anonymous payment projects?

2010-12-01 Thread Ian G
On 2/12/10 1:36 AM, Rayservers wrote: Not really, but one thing is: if you build it bottom-up, from the crypto, you'll have trouble :) Instead, look to the business, and go bottom down. You mean top down... :) Oh, snap! Yes, exactly. iang Which is exactly going on here: http://www.globa

Re: [cryptography] current digital cash / anonymous payment projects?

2010-12-02 Thread Ian G
On 2/12/10 6:32 PM, James A. Donald wrote: On 2010-12-01 11:18 PM, Ian G wrote: On 1/12/10 6:12 AM, travis+ml-rbcryptogra...@subspacefield.org wrote: Can anyone give me a good rundown of the current anonymous payment systems, technologies and/or algorithms? OK, there are some issues here

Re: [cryptography] Fwd: [gsc] Fwd: OpenBSD IPSEC backdoor(s)

2010-12-17 Thread Ian G
(resend, with right sender this time) On 17/12/10 3:30 PM, Peter Gutmann wrote: To put it more succinctly, and to paraphrase Richelieu, give me six lines of code written by the hand of the most honest of coders and I'll find something in there to backdoor. This is the sort of extraordinary c

Re: [cryptography] Fwd: [gsc] Fwd: OpenBSD IPSEC backdoor(s)

2010-12-18 Thread Ian G
On 18/12/10 7:54 PM, James A. Donald wrote: On 2010-12-18 1:39 AM, Alfonso De Gregorio wrote: Along this line, there is, by some years, The Underhanded C Contest, an annual contest to write innocent-looking C code implementing malicious behavior http://underhanded.xcott.com/ Those participatin

Re: [cryptography] validating SSL cert chains & timestamps

2010-12-20 Thread Ian G
On 21/12/10 5:46 AM, travis+ml-rbcryptogra...@subspacefield.org wrote: So a co-worker ran into this lately; libnss, at least on Linux, checks that the signing cert (chain) is valid at the time of signature - as opposed to present time. (It may check present time as well - not sure on that). Th

Re: [cryptography] wanted: recommendations for best papers in cryptology

2011-01-08 Thread Ian G
Following is written as a user perspective, not a cryptography perspective :) On 8/01/11 1:03 PM, travis+ml-rbcryptogra...@subspacefield.org wrote: Hey all, I'm attempting to create an extensive archive of papers on -graphy and -analysis, locally stored and broken down by category/hierarchy, a

Re: [cryptography] encrypted storage, but any integrity protection?

2011-01-16 Thread Ian G
On 14/01/11 5:40 AM, travis+ml-rbcryptogra...@subspacefield.org wrote: So does anyone know off the top of their head whether dm-crypt or TrueCrypt (or other encrypted storage things) promise data integrity in any way, shape or form? I'm assuming they're just encrypting, but figured I'd ask befor

Re: [cryptography] Preserve us from poorly described/implemented crypto

2011-06-07 Thread Ian G
On 6/06/11 2:53 PM, Marsh Ray wrote: Come on. There are people in tall glass buildings that will be using this keyboard to enter passwords that manage accounts containing millions of dollars on a regular basis. And there's a very high practical limit on the gain of the antenna that could be aime

Re: [cryptography] Preserve us from poorly described/implemented crypto

2011-06-07 Thread Ian G
On 6/06/11 11:57 AM, David G. Koontz wrote: On 5/06/11 6:26 PM, Peter Gutmann wrote: That's the thing, you have to consider the threat model: If anyone's really that desperately interested in watching your tweets about what your cat's doing as you type them then there are far easier attack chan

Re: [cryptography] Current state of brute-forcing random keys?

2011-06-09 Thread Ian G
On 10/06/11 3:14 AM, Paul Hoffman wrote: Greetings again. I am helping someone design a system that will involve giving someone a randomly-generated key that they have to type in order to unlock data that is private but not terribly valuable. Thus, we want to keep the key as short as practical

Re: [cryptography] Digital cash in the news...

2011-06-11 Thread Ian G
On 11/06/11 7:42 PM, Eugen Leitl wrote: On Sat, Jun 11, 2011 at 02:16:55AM -, John Levine wrote: In article<021ccba9-9203-4896-8412-481b94595...@cs.columbia.edu> you write: http://gcn.com/articles/2011/06/09/bitcoins-digital-currency-silk-road-charles-schumer-joe-manchin.aspx?s=gcndaily_10

Re: [cryptography] Digital cash in the news...

2011-06-11 Thread Ian G
On 11/06/11 9:01 PM, Eugen Leitl wrote: On Sat, Jun 11, 2011 at 03:58:07PM +1200, Peter Gutmann wrote: "John Levine" writes: I wouldn't call bitcoins digital cash. They're more like digital tulip bulbs, Finally an analogy I can use to explain bitcoin to the masses (well, assuming they know

Re: [cryptography] Digital cash in the news...

2011-06-11 Thread Ian G
On 12/06/11 8:29 AM, Jeffrey Walton wrote: On Sat, Jun 11, 2011 at 4:13 PM, John Levine wrote: Unlike fiat currencies, algorithms assert limit of total volume. And the mint and transaction infrastructure is decentral, so there's no single point of control. These both are very useful properties.

Re: [cryptography] Digital cash in the news...

2011-06-12 Thread Ian G
On 12/06/11 4:21 PM, Peter Gutmann wrote: Am I the only one who thinks it's not coincidence that the (supposed) major use of bitcoin is by people buying hallucinogenic substances? The best way to think of this is from the marketing concepts of "product diffusion" or "product life cycle". ht

Re: [cryptography] attacks against bitcoin

2011-06-12 Thread Ian G
On 12/06/11 8:16 PM, Eugen Leitl wrote: How safe is the bitcoin cryptosystem and the communication network against targeted attacks? It depends on what the intention or objective of the attack is. And that depends on the threat actor. For example, a phishing threat actor would be looking t

Re: [cryptography] Digital cash in the news...

2011-06-12 Thread Ian G
On 12/06/11 10:55 PM, Nicholas Bohm wrote: Ah well. I joined bitcoin quite early, seeing it as like donating spare cycles to an interesting experiment. I do agree whole heartedly that this is a great fun experiment, and worthy of attention. It has pushed the boundaries of what we've known a

Re: [cryptography] Digital cash in the news...

2011-06-12 Thread Ian G
On 13/06/11 12:05 PM, James A. Donald wrote: On 2011-06-13 9:26 AM, Ian G wrote: However. Unless the laws of financial conservation have been repealed by the design, those who follow have to invest a lot and come out with less... Financial conservation does not apply to money. Right, not to

[cryptography] Is BitCoin a triple entry system?

2011-06-13 Thread Ian G
On 13/06/11 12:56 PM, James A. Donald wrote: On 2011-06-12 8:57 AM, Ian G wrote: I wrote a paper about John Levine's observation of low knowledge, way back in 2000, called "Financial Cryptography in 7 Layers." The sort of unstated thesis of this paper was that in order to under

Re: [cryptography] Digital cash in the news...

2011-06-13 Thread Ian G
On 13/06/11 5:54 PM, Adam Back wrote: Bitcoin is not a pyramid scheme, and doesnt have to have the collapse and late joiner losers. If bitcoin does not lose favor - ie the user base grows and then maintains size of user base in the long term, then no one loses. Um, Adam, that's the very definit

Re: [cryptography] sander & ta-shma + bitcoin, b-money, hashcash (Re: Is BitCoin a triple entry system?)

2011-06-14 Thread Ian G
On 14/06/11 6:13 PM, Adam Back wrote: See also: Auditable Anonymous Electronic Cash by Tomas Sander and Amnon Ta-Shma in crypto 1998. http://www.math.tau.ac.il/~amnon/Papers/ST.crypto99.pdf ... In their setting Sander & Ta-Shma also can identify double-spenders because their identity is inclu

Re: [cryptography] Crypto-economics metadiscussion

2011-06-14 Thread Ian G
On 14/06/11 2:31 AM, Marsh Ray wrote: I 'aint no self-appointed moderator of this list and I do find the subject of economics terribly interesting, but maybe it would make sense to willfully confine the scope of our discussion of Bitcoin and other virtual currencies to the crypto side of it. C

Re: [cryptography] Crypto-economics metadiscussion

2011-06-14 Thread Ian G
On 15/06/11 12:47 AM, Ian G wrote: Or worse: http://forum.bitcoin.org/index.php?topic=16457.0 That link is down, no surprise. From my cached copy, I wrote it up on the blog: http://financialcryptography.com/mt/archives/001327.html Far too much from me, signing out... iang

Re: [cryptography] Is Bitcoin legal?

2011-06-16 Thread Ian G
On 16/06/11 12:34 AM, John Levine wrote: Bitcoins aren't securities, because they don't act like securities. Right. Or more particularly, he asked: "... I can’t help wondering why Bitcoins aren’t unregistered securities." And the answer is that the registrar of securities defines wha

Re: [cryptography] Oddity in common bcrypt implementation

2011-06-21 Thread Ian G
On 20/06/11 10:59 AM, Solar Designer wrote: On Wed, Jun 15, 2011 at 04:22:55AM +0400, Solar Designer wrote: I am trying to learn some lessons from this. This used to happen to me a lot in the old Cryptix days, which for a while were a sort of smorgasboard of algorithms. One lesson was tha

Re: [cryptography] RDRAND and Is it possible to protect against malicious hw accelerators?

2011-06-21 Thread Ian G
On 18/06/11 8:16 PM, Marsh Ray wrote: On 06/18/2011 03:08 PM, slinky wrote: But we know there are still hundreds of "trusted" root CAs, many from governments, that will silently install themselves into Windows at the request of any website. Some of these even have code signing capabiliti

Re: [cryptography] Repeated Encryptions Considered.... ?

2011-06-21 Thread Ian G
On 19/06/11 9:47 PM, Jon Callas wrote: On Jun 19, 2011, at 5:54 PM, Nico Williams wrote: On Sun, Jun 19, 2011 at 7:01 PM, Jon Callas wrote: That brings us back to the main question: what problem are you trying to solve? The OP meantioned that the context was JavaScript crypto, and whether

[cryptography] this house believes that user's control over the root list is a placebo

2011-06-25 Thread Ian G
On 21/06/11 4:15 PM, Marsh Ray wrote: On 06/21/2011 12:18 PM, Ian G wrote: On 18/06/11 8:16 PM, Marsh Ray wrote: On 06/18/2011 03:08 PM, slinky wrote: But we know there are still hundreds of "trusted" root CAs, many from governments, that will silently install themselves in

Re: [cryptography] this house believes that user's control over the root list is a placebo

2011-06-26 Thread Ian G
On 26/06/11 5:50 AM, Ralph Holz wrote: Hi, Any model that offers a security feature to a trivially tiny minority, to the expense of the dominant majority, is daft. The logical conclusion of 1.5 decades worth of experience with centralised root lists is that we, in the aggregate, may as well tr

Re: [cryptography] this house believes that user's control over the root list is a placebo

2011-06-27 Thread Ian G
On 26/06/11 1:26 PM, Marsh Ray wrote: On 06/25/2011 03:48 PM, Ian G wrote: On 21/06/11 4:15 PM, Marsh Ray wrote: This was about the CNNIC situation, Ah, the "I'm not in control of my own root list" threat scenario. See, the thing there is that CNNIC has a dirty reputation.

Re: [cryptography] Oddity in common bcrypt implementation

2011-06-28 Thread Ian G
On 28/06/11 11:25 AM, Nico Williams wrote: On Tue, Jun 28, 2011 at 9:56 AM, Marsh Ray wrote: Consequently, we can hardly blame users for not using special characters in their passwords. The most immediate problem for many users w.r.t. non-ASCII in passwords is not the likelihood of interop

Re: [cryptography] Oddity in common bcrypt implementation

2011-06-29 Thread Ian G
On 28/06/11 1:01 PM, Paul Hoffman wrote: And this discussion of ASCII and internationalization has what to do with cryptography, I personally think this list is about users of crypto, rather than cryptographers-creators in particular. The former are mostly computer scientists who think in b

Re: [cryptography] preventing protocol failings

2011-07-04 Thread Ian G
On 5/07/11 9:28 AM, Sampo Syreeni wrote: (I'm not sure whether I should write anything anytime soon, because of Len Sassaman's untimely demise. He was an idol of sorts to me, as a guy who Got Things Done, while being of comparable age to me. But perhaps it's equally valid to carry on the ideas, a

Re: [cryptography] Bitcoin observation

2011-07-05 Thread Ian G
On 5/07/11 4:44 PM, Jon Callas wrote: Did you know that if a Bitcoin is destroyed, then the value of all the other Bitcoins goes up slightly? That's incredible. It's amazing and leads to some emergent properties. This assumes fixed value. As there is no definition of the value in BitCoin, i

Re: [cryptography] preventing protocol failings

2011-07-05 Thread Ian G
On 5/07/11 3:59 PM, Jon Callas wrote: There are plenty of people who agree with you that options are bad. I'm not one of them. Yeah, yeah, sure, it's always easy to make too many options. But just because you can have too many options that doesn't mean that zero is the right answer. That's ju

Re: [cryptography] preventing protocol failings

2011-07-12 Thread Ian G
On 13/07/11 8:36 AM, Andy Steingruebl wrote: On Tue, Jul 12, 2011 at 2:24 PM, Zooko O'Whielacronx wrote: When systems come with good usability properties in the key management (SSH, and I modestly suggest ZRTP and Tahoe-LAFS) then we don't see this pattern. People are willing to use secure too

Re: [cryptography] preventing protocol failings

2011-07-12 Thread Ian G
On 13/07/11 9:25 AM, Marsh Ray wrote: On 07/12/2011 04:24 PM, Zooko O'Whielacronx wrote: On Tue, Jul 12, 2011 at 11:10 AM, Hill, Brad wrote: I have found that when H3 meets deployment and use, the reality too often becomes: "Something's gotta give." We haven't yet found a way to hide enough of

Re: [cryptography] preventing protocol failings

2011-07-12 Thread Ian G
On 13/07/11 3:10 AM, Hill, Brad wrote: Re: H3, "There is one mode and it is secure" I have found that when H3 meets deployment and use, the reality too often becomes: "Something's gotta give." We haven't yet found a way to hide enough of the complexity of security to make it free, and this in

Re: [cryptography] ssh-keys only and EKE for web too (Re: preventing protocol failings)

2011-07-13 Thread Ian G
On 13/07/11 9:27 PM, Ralph Holz wrote: Hi, You know this is why you should use ssh-keys and disable password authentication. First thing I do when someone gives me an ssh account. Using keys to authenticate is what I usally do, too. But even if a user decides not to use plain password auth,

Re: [cryptography] ssh-keys only and EKE for web too (Re: preventing protocol failings)

2011-07-13 Thread Ian G
On 14/07/11 4:33 AM, Jeffrey Walton wrote: On Wed, Jul 13, 2011 at 2:17 PM, James A. Donald wrote: On 2011-07-13 9:10 PM, Peter Gutmann wrote: As for Microsoft, Microsoft have a big interest in bypassing the status quo, and they've tried several times. But each time it isn't for the bene

Re: [cryptography] OTR and deniability

2011-07-14 Thread Ian G
On 14/07/11 12:37 PM, Ai Weiwei wrote: Hello list, Recently, Wired published material on their website which are claimed to be logs of instant message conversations between Bradley Manning and Adrian Lamo in that infamous case. [1] I have only casually skimmed them, but did notice the followi

Re: [cryptography] OTR and deniability

2011-07-18 Thread Ian G
Back in the 1980s, a little thing called public key cryptography gave birth to a metaphor called the "digital signature" which some smart cryptographers thought to be a technological analogue of the human manuscript act of signing. It wasn't, but this didn't stop the world spending vast sums t

Re: [cryptography] bitcoin scalability to high transaction rates

2011-07-19 Thread Ian G
On 20/07/11 3:25 AM, lodewijk andré de la porte wrote: This would revive many of the things people have aspired to kill with bitcoins. Among others the "creation" of money (I can borrow and "store" more money than I have). It would also mean moving the scalability problem to a centralized system,

Re: [cryptography] OTR and deniability

2011-07-19 Thread Ian G
On 19/07/11 1:59 PM, James A. Donald wrote: On 2011-07-19 9:48 AM, Ian G wrote: OTR makes the same error. It takes a very interesting mathematical property, and extend it into the hard human world, as if the words carry the same meaning. Perhaps, once upon a time, in some TV court room drama

Re: [cryptography] bitcoin scalability to high transaction rates

2011-07-20 Thread Ian G
On 20/07/11 9:08 PM, Eugen Leitl wrote: On Wed, Jul 20, 2011 at 11:56:06AM +0200, Alfonso De Gregorio wrote: I'd better rephrase it in: expectation to have "money backed by bitcoins" exhibiting all the desirable properties of a perfect currency (ie, stable money) are greatly exaggerated. The

Re: [cryptography] bitcoin scalability to high transaction rates

2011-07-20 Thread Ian G
On 20/07/11 8:02 AM, Sampo Syreeni wrote: On 2011-07-20, Ian G wrote: To answer OP, typically all trading is done on a delayed and netted settlement. Which is to say the trade might be done real time but the settlement is batched for later, typically after market closing. No money changes

Re: [cryptography] Single-key key recovery for full AES

2011-08-20 Thread Ian G
Curiously, AES is now being reported as "broken." http://www.theregister.co.uk/2011/08/19/aes_crypto_attack/ Yet, I'm sure I read earlier that the recovery attack was a few bits short of the brute force attack. Here it is: On 18/08/11 1:52 AM, Jack Lloyd wrote: http://research.microsoft.com

Re: [cryptography] Smart card with external pinpad

2011-08-20 Thread Ian G
On 21/08/11 6:21 AM, Simon Josefsson wrote: Thierry Moreau writes: If there were devices meeting the stated goal (commercially available with a reasonable cost structure), they would be a very useful security solution element for high security contexts. The user guidance would be: never enter t

Re: [cryptography] [SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail

2011-09-05 Thread Ian G
On 5/09/11 7:23 PM, Gervase Markham wrote: The thing which makes the entire system as weak as its weakest link is the lack of CA pinning. Just a question of understanding: how is the CA pinning information delivered to the browser? (For those who don't know, I also had to look it up too :

Re: [cryptography] [SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail

2011-09-06 Thread Ian G
On 6/09/11 1:07 PM, Peter Gutmann wrote: This is true, but I'm not sure it's particularly relevant. (Who claims that HSMs are magic pixie dust?) CAs, when they issue a press release saying "everything's OK, we never lost control of our private key"? Some European countries also seem to have a

Re: [cryptography] [SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail

2011-09-06 Thread Ian G
On 5/09/11 7:23 PM, Gervase Markham wrote: Hi Peter, On 04/09/11 07:15, Peter Gutmann wrote: Blacklist-based validity checking, the Second Dumbest Idea in Computer Security (Marcus Ranum), doesn't work: Diginotar issued certs for which there was no record of issuance, therefore they coul

Re: [cryptography] [SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail

2011-09-06 Thread Ian G
On 7/09/11 3:03 AM, Gervase Markham wrote: 2) the lack of CA advertising in the chrome. This is an old argument, and my position remains: Yes, and yes :) there is no way we are ever going to get average users to pay attention to CA branding, I've watched TV so I know what an advert is ;)

Re: [cryptography] Diginotar Lessons Learned (long)

2011-09-07 Thread Ian G
On 7/09/11 7:34 AM, Fredrik Henbjork wrote: Here's another gem related to the subject. In 2003 CAcert wished to have their root certificate added to Mozilla's browser, and in the resulting discussion in Bugzilla, Mozilla cryptodeveloper Nelson Bolyard had the following to say: "I have no opinio

Re: [cryptography] GlobalSign temporarily ceases issuance of all certificates

2011-09-07 Thread Ian G
On 8/09/11 5:34 AM, Fredrik Henbjork wrote: http://www.globalsign.com/company/press/090611-security-response.html This whole mess just gets "better and better"... "As a responsible CA, we have decided to temporarily cease issuance of all Certificates until the investigation is complete.

Re: [cryptography] GlobalSign temporarily ceases issuance of all certificates

2011-09-07 Thread Ian G
On 8/09/11 6:02 AM, I wrote: H I'm not sure I'd suspend issuance without some evidence. On 8/09/11 6:13 AM, Franck Leroy wrote, coz he checked the source!: > > http://pastebin.com/GkKUhu35 > > extract: > > Third: You only heards Comodo (successfully issued 9 certs for me - > thanks by t

Re: [cryptography] GlobalSign temporarily ceases issuance of all certificates

2011-09-08 Thread Ian G
On 08/09/2011, at 11:31, Lucky Green wrote: > The SSL/public CA model did an admirable job in that regard and Taher > ElGamal and Paul Kocher deserve full credit for this accomplishment. As long as we can document that original model, I'm inclined to agree. > SSL's design goals explicitly ex

Re: [cryptography] PKI "fixes" that don't fix PKI (part II)

2011-09-08 Thread Ian G
Hi, Lucky, good to see some perspective! On 08/09/2011, at 8:52, Lucky Green wrote: > o Changes to OCSP . > The > problem was that the top three CA vendors at the time, RSA Security, > VeriSign, and Netscape didn't have a comprehensive database of > certificates issued by their software and w

Re: [cryptography] Symantec gets it wrong

2011-09-08 Thread Ian G
> To be contrarian for a moment > > In the "old days" ( a few months ago) the only really difference for a > customer between most CAs was how widely their trust was distributed. As far as I can see, trust is still distributed equally and broadly. That's the nature of the homogonising des

Re: [cryptography] PKI "fixes" that don't fix PKI (part III)

2011-09-10 Thread Ian G
Arrgghh apologies. I fell asleep over my iPhone and my finger slid over the Send button. On 10/09/2011, at 8:46, Ian G wrote: > > > On 09/09/2011, at 9:11, Lucky Green wrote: > >> o What do I mean by the "SSL system"? > > I've taken to using

Re: [cryptography] PKI "fixes" that don't fix PKI (part III)

2011-09-10 Thread Ian G
On 09/09/2011, at 9:11, Lucky Green wrote: > o What do I mean by the "SSL system"? I've taken to using TLS for the protocol, SSL in the wider context including PKI/certs, and "secure browsing" for the headline or flagship application. (imho, we can safely ignore any criticism on semantics, t

Re: [cryptography] wont CA hackers CA pin also? and other musings (Re: PKI "fixes" that don't fix PKI (part III))

2011-09-10 Thread Ian G
Hi Adam, On 10/09/2011, at 20:16, Adam Back wrote: > So I hear CA pinning mentioned a bit as a probable way forward, but I didnt > see anyone define it on this list, Adam described it in this list. The specific mechanism is less important than what it achieves: the browser knows that the websi

Re: [cryptography] PKI "fixes" that don't fix PKI (part III)

2011-09-10 Thread Ian G
Hi Steve, On 11/09/2011, at 1:07, Steven Bellovin wrote: >> Sorry, that doesn't work. Afaik, there is practically zero evidence of >> Internet interception of credit cards. > > This makes no sense whatsoever. (the point here is that the original statement said we had limited Internet eavesd

Re: [cryptography] wont CA hackers CA pin also? and other musings (Re: PKI "fixes" that don't fix PKI (part III))

2011-09-10 Thread Ian G
On 11/09/2011, at 1:30, Douglas Huff wrote: > On Sep 10, 2011, at 8:28 AM, Ian G wrote: > >> Hi Adam, >> >> On 10/09/2011, at 20:16, Adam Back wrote: >> >>> So I hear CA pinning mentioned a bit as a probable way forward, but I didnt >>>

Re: [cryptography] Diginotar Lessons Learned (long)

2011-09-10 Thread Ian G
On 11/09/2011, at 3:22, Andy Steingruebl wrote: > On Fri, Sep 9, 2011 at 6:22 PM, Peter Gutmann > wrote: > >> May I make the following modest proposal: >> >> A "fix" (of whatever form you want to try) is only regarded as valid if it >> leads to at least a 25% decrease in phishing, measure

Re: [cryptography] Diginotar Lessons Learned (long)

2011-09-11 Thread Ian G
On 11/09/2011, at 10:02, "James A. Donald" wrote: > On 2011-09-11 9:10 AM, Andy Steingruebl wrote: >> 1. Phishing isn't the only problem right? Malware + breaches might be the other 2 biggies. Note that the malware/pc takeover market was probably financed by profits from phishing. Breaches

Re: [cryptography] Diginotar Lessons Learned (long)

2011-09-11 Thread Ian G
On 11/09/2011, at 9:10, Andy Steingruebl wrote: > On Sat, Sep 10, 2011 at 4:01 PM, Peter Gutmann > wrote: >> >> Sure, figuring out whether it'll actually work is an experiment. OTOH we >> have >> vast masses of data on what phishers are doing, Which can be reduced to one observation: Phis

Re: [cryptography] PKI "fixes" that don't fix PKI (part III)

2011-09-11 Thread Ian G
On 11/09/2011, at 7:50, Steven Bellovin wrote: > > On Sep 10, 2011, at 4:14 00PM, John Levine wrote: > >>> This makes no sense whatsoever. Credit card numbers are *universally* >>> encrypted; of course there's no interception of them. >> >> There's a fair amount of low-level ecommerce by e-

[cryptography] After the dust settles -- what happens next? (v. Long)

2011-09-11 Thread Ian G
Lucky & Peter said: > >> Moreover, I noticed that some posts list one or more desirable properties >> and requirements together with a proposed solution. > > That's the nice thing about PKI, there's more than enough fail to go around. So, what happens now? As we all observe, there are two app

Re: [cryptography] After the dust settles -- what happens next? (v. Long)

2011-09-12 Thread Ian G
The problem with "shifts of faith" is that if there is really a groundswell against, we're as likely to miss it. People who leave generally do exactly that, and don't bother talking about it. That said .. >>> Some of us observe a third, more likely approach: nothing significant >>> happens due

Re: [cryptography] PKI - and the threat model is ...?

2011-09-12 Thread Ian G
On 13/09/2011, at 0:15, "M.R." wrote: > In these long and extensive discussions about "fixing PKI" there > seems to be a fair degree of agreement that one of the reasons > for the current difficulties is the fact that there was no precisely > defined threat model, documented and agreed upon ~be

Re: [cryptography] PKI - and the threat model is ...?

2011-09-12 Thread Ian G
On 13/09/2011, at 5:12, Marsh Ray wrote: > It never was, and yet, it is asked to do that routinely today. > > This is where threat modeling falls flat. > > The more generally useful a communications facility that you develop, the > less knowledge and control the engineer has about the condit

Re: [cryptography] Let's go back to the beginning on this

2011-09-13 Thread Ian G
On 13/09/2011, at 23:57, Jeffrey Walton wrote: > On Mon, Sep 12, 2011 at 5:48 PM, James A. Donald wrote: >>-- >> On 2011-09-11 4:09 PM, Jon Callas wrote: >>> The bottom line is that there are places that continuity >>> works well -- phone calls are actually a good one. There >>> are places

Re: [cryptography] Let's go back to the beginning on this

2011-09-15 Thread Ian G
On 15/09/2011, at 15:40, "Kevin W. Wall" wrote: > Trust is not binary. Right. Or, in modelling terms, trust isn't absolute. AES might be 99.99% reliable, which is approximately 100% for any million or so events [1]. Trust in a CA might be more like 99%. Now, if we have a 1% untrustworth

Re: [cryptography] Let's go back to the beginning on this

2011-09-15 Thread Ian G
On 16/09/2011, at 1:22, Andy Steingruebl wrote: > On Wed, Sep 14, 2011 at 7:34 PM, Arshad Noor > wrote: >> >> However, an RP must assess this risk before trusting a self-signed >> Root CA's certificate. If you believe there is uncertainty, then >> don't trust the Root CA. Delete their cert

Re: [cryptography] Let's go back to the beginning on this

2011-09-16 Thread Ian G
On 17/09/11 2:33 AM, Ben Laurie wrote: A sufficiently low upper bound is convincing enough :-) This is all the example seeks to show: There is a low upper bound. We really don't care whether it is 1% or 30%, or +/- 2% or finger in the air... as long as it is too low to be credible. We ju

Re: [cryptography] The consequences of DigiNotar's failure

2011-09-16 Thread Ian G
On 17/09/11 3:07 AM, M.R. wrote: On 16/09/11 09:16, Jeffrey Walton wrote: The problem is that people will probably die due Digitar's failure. I am not the one to defend DigiNotar, but I would not make such dramatic assumption. No one actively working against a government that is known to enga

Re: [cryptography] The consequences of DigiNotar's failure

2011-09-18 Thread Ian G
On 18/09/11 8:38 AM, Jeffrey Walton wrote: On Fri, Sep 16, 2011 at 1:07 PM, M.R. wrote: On 16/09/11 09:16, Jeffrey Walton wrote: The problem is that people will probably die due Digitar's failure. I am not the one to defend DigiNotar, but I would not make such dramatic assumption. I don't

Re: [cryptography] SSL is not "broken by design"

2011-09-18 Thread Ian G
On 18/09/11 4:34 PM, M.R. wrote: On 17/09/11 17:56, lodewijk andré de la porte wrote: > ...therefore assumes others assume SSL to be broken by design... SSL is not "broken by design"! See counter-proof at bottom. SSL was designed to protect relatively low-value retail commerce, and it still

  1   2   >