at Monday, November 04, 2002 2:28 AM, Tim May [EMAIL PROTECTED] was seen
to say:
Those who need to know, know.
Which of course is a viable model, provided you are only using your key
for private email to those who need to know
if you are using it for signatures posted to a mailing list though, it
and the Poor)
From: Trei, Peter [EMAIL PROTECTED]
To: [EMAIL PROTECTED], 'Major Variola (ret)' [EMAIL PROTECTED]
Subject: RE: What email encryption is actually in use?
Date: Mon, 4 Nov 2002 12:58:55 -0500
Major Variola (ret)[SMTP:[EMAIL PROTECTED]]
At 10:13 AM 11/4/02 -0500, Tyler Durden wrote
for their parent companies, ehr, for their parent countries).
If a secure VPN tunnel forms between al-Jazeera's firewall and, say, some
ISP near Atlantic Avenue in Brooklyn (heavy Arab community), then all
sorts
of spyglasses could pop up.
The title of this thread is What email encryption
On Sun, Nov 03, 2002 at 11:23:36AM -0800, Tim May wrote:
- -- treat text as text, to be sent via whichever mail program one uses,
or whichever chatroom software (not that encrypted chat rooms are
likely...but who knows?), or whichever news reader software
http://www.invisible.net is sort of
On Mon, Nov 04, 2002 at 12:58:55PM -0500, Trei, Peter wrote:
Durden's question was whether a snooper on an IPSEC VPN can
tell (for example) an encrypted email packet from an encrypted
HTTP request.
The answer is no.
All Eve can tell is the FW1 sent FW2 a packet of a certain size.
The
Tim May[SMTP:[EMAIL PROTECTED]]
On Saturday, November 2, 2002, at 08:01 PM, Tyler Durden wrote:
Prior to that, the encrypted email I've sent in the past year or so
has almost always failed, because of version incompatibilities,
While in Telecom I was auditing optical transport
knowledge of 3.) It may be possible
for hardware that examines large numbers of communiques to pre-determine
that much is of no interest.
From: Trei, Peter [EMAIL PROTECTED]
To: [EMAIL PROTECTED], 'Tim May' [EMAIL PROTECTED]
Subject: RE: What email encryption is actually in use?
Date: Mon, 4 Nov
at Monday, November 04, 2002 3:13 PM, Tyler Durden
This is an interesting issue...how much information can be gleaned
from encrypted payloads?
Usually, the VPN is an encrypted tunnel from a specified IP (individual
pc or lan) to another specified IP (the outer marker of the lan, usually
the
--
From: Tyler Durden[SMTP:[EMAIL PROTECTED]]
Sent: Monday, November 04, 2002 10:13 AM
To: [EMAIL PROTECTED]
Subject: RE: What email encryption is actually in use?
The ever-though-provoking Peter Trei wrote...
A great deal of highly sensitive internal
Tyler Durden[SMTP:[EMAIL PROTECTED]] writes:
Most the ones I've seen are IPSEC over IPv4. You might be able to glean
some info from packet size, timing, and ordering, but not much. IPSEC
takes a plaintext IP packet and treats the whole thing as a data block
to be encrypted.
SO this
...
From: Trei, Peter [EMAIL PROTECTED]
To: [EMAIL PROTECTED], 'Tyler Durden' [EMAIL PROTECTED]
Subject: RE: What email encryption is actually in use?
Date: Mon, 4 Nov 2002 11:00:56 -0500
--
From: Tyler Durden[SMTP:[EMAIL PROTECTED]]
Sent: Monday, November 04, 2002 10:13 AM
At 10:13 AM 11/4/02 -0500, Tyler Durden wrote:
This is an interesting issue...how much information can be gleaned from
encrypted payloads?
Traffic analysis (who, how frequently, temporal patterns)
Size of payload
Is it possible for a switch or whatever that has
visibility up to layers 4/5/6 to
Major Variola (ret)[SMTP:[EMAIL PROTECTED]]
At 10:13 AM 11/4/02 -0500, Tyler Durden wrote:
This is an interesting issue...how much information can be gleaned from
encrypted payloads?
Traffic analysis (who, how frequently, temporal patterns)
Size of payload
Is it possible for a
-BEGIN PGP SIGNED MESSAGE-
If you signed your messages on a regular basis, it would let me know
whether or not you're the same Tim May, I've been reading since back
when toad.com was the only server for the list.
If you're key was signed by anyone I've dealt with, who I know will
at Monday, November 04, 2002 2:28 AM, Tim May [EMAIL PROTECTED] was seen
to say:
Those who need to know, know.
Which of course is a viable model, provided you are only using your key
for private email to those who need to know
if you are using it for signatures posted to a mailing list though, it
On Saturday November 2 2002 11:09, Adam Shostack wrote:
I'd be interested to hear how often email content is protected by any
form of crypto, including IPsec, Starttls, ssh delivery, or PGP or
SMIME. There's probably an interesting paper in going out and
looking at this.
I use GnuPG to the
Tim May[SMTP:[EMAIL PROTECTED]]
On Saturday, November 2, 2002, at 08:01 PM, Tyler Durden wrote:
Prior to that, the encrypted email I've sent in the past year or so
has almost always failed, because of version incompatibilities,
While in Telecom I was auditing optical transport
at Monday, November 04, 2002 3:13 PM, Tyler Durden
This is an interesting issue...how much information can be gleaned
from encrypted payloads?
Usually, the VPN is an encrypted tunnel from a specified IP (individual
pc or lan) to another specified IP (the outer marker of the lan, usually
the
At 10:13 AM 11/4/02 -0500, Tyler Durden wrote:
This is an interesting issue...how much information can be gleaned from
encrypted payloads?
Traffic analysis (who, how frequently, temporal patterns)
Size of payload
Is it possible for a switch or whatever that has
visibility up to layers 4/5/6 to
...
From: Trei, Peter [EMAIL PROTECTED]
To: [EMAIL PROTECTED], 'Tyler Durden' [EMAIL PROTECTED]
Subject: RE: What email encryption is actually in use?
Date: Mon, 4 Nov 2002 11:00:56 -0500
--
From: Tyler Durden[SMTP:[EMAIL PROTECTED]]
Sent: Monday, November 04, 2002 10:13 AM
Tyler Durden[SMTP:[EMAIL PROTECTED]] writes:
Most the ones I've seen are IPSEC over IPv4. You might be able to glean
some info from packet size, timing, and ordering, but not much. IPSEC
takes a plaintext IP packet and treats the whole thing as a data block
to be encrypted.
SO this
for their parent companies, ehr, for their parent countries).
If a secure VPN tunnel forms between al-Jazeera's firewall and, say, some
ISP near Atlantic Avenue in Brooklyn (heavy Arab community), then all
sorts
of spyglasses could pop up.
The title of this thread is What email encryption
On Sun, Nov 03, 2002 at 11:23:36AM -0800, Tim May wrote:
- -- treat text as text, to be sent via whichever mail program one uses,
or whichever chatroom software (not that encrypted chat rooms are
likely...but who knows?), or whichever news reader software
http://www.invisible.net is sort of
On Mon, Nov 04, 2002 at 12:58:55PM -0500, Trei, Peter wrote:
Durden's question was whether a snooper on an IPSEC VPN can
tell (for example) an encrypted email packet from an encrypted
HTTP request.
The answer is no.
All Eve can tell is the FW1 sent FW2 a packet of a certain size.
The
FWIW
In the Si biz, its quite common to encrypt files. I've
seen (albeit lame, and with guessable passwords)
zip encryption and the classic crypt used.
Between engineers, and between lawyers and engineers.
Typically the encrypted info is an attachment to unencrypted
email (often describing its
On Sat, 2 Nov 2002, Tim May wrote:
PK crypto has made a lot of things a lot easier, but expecting it all
to work with a click of a button is naive. Of course, most of us don't
actually have secrets which make protocols and efforts justifiable.
There's the rub.
I expect it to work with the
On Sunday 03 November 2002 12:53, Len Sassaman wrote:
On Sat, 2 Nov 2002, Tim May wrote:
PK crypto has made a lot of things a lot easier, but expecting it
all to work with a click of a button is naive. Of course, most of
us don't actually have secrets which make protocols and efforts
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sunday, November 3, 2002, at 09:53 AM, Len Sassaman wrote:
What's naive is trying to ram such products down the public's
collective
throat. Cryptographic solutions are not of all or nothing strength. I
don't know why UI hasn't been the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sunday, November 3, 2002, at 10:29 AM, Steve Furlong wrote:
Agreed. Setup should be pretty simple, but daily use for the unwashed
masses has to be one-click. And version compatibility problems have
_got_ to disappear. Actually, PGP's Outlook
On Sun, Nov 03, 2002 at 11:23:36AM -0800, Tim May wrote:
| I think most users, even casual ones, would accept this advice:
|
| Look, encrypted text is just a rearrangement of text. Compose your
| message in whatever editor or word processor you want, apply the
| encryption directly to that
On Saturday November 2 2002 11:09, Adam Shostack wrote:
I'd be interested to hear how often email content is protected by any
form of crypto, including IPsec, Starttls, ssh delivery, or PGP or
SMIME. There's probably an interesting paper in going out and
looking at this.
I use GnuPG to the
On Saturday, November 2, 2002, at 08:01 PM, Tyler Durden wrote:
Prior to that, the encrypted email I've sent in the past year or so
has almost always failed, because of version incompatibilities,
While in Telecom I was auditing optical transport gear, and we adopted
the practice of
On Sat, 2 Nov 2002, Tim May wrote:
PK crypto has made a lot of things a lot easier, but expecting it all
to work with a click of a button is naive. Of course, most of us don't
actually have secrets which make protocols and efforts justifiable.
There's the rub.
I expect it to work with the
On Sunday 03 November 2002 12:53, Len Sassaman wrote:
On Sat, 2 Nov 2002, Tim May wrote:
PK crypto has made a lot of things a lot easier, but expecting it
all to work with a click of a button is naive. Of course, most of
us don't actually have secrets which make protocols and efforts
On Sun, Nov 03, 2002 at 11:23:36AM -0800, Tim May wrote:
| I think most users, even casual ones, would accept this advice:
|
| Look, encrypted text is just a rearrangement of text. Compose your
| message in whatever editor or word processor you want, apply the
| encryption directly to that
FWIW
In the Si biz, its quite common to encrypt files. I've
seen (albeit lame, and with guessable passwords)
zip encryption and the classic crypt used.
Between engineers, and between lawyers and engineers.
Typically the encrypted info is an attachment to unencrypted
email (often describing its
On Sunday, November 3, 2002, at 06:14 PM, David W. Hodgins wrote:
-BEGIN PGP SIGNED MESSAGE-
The advantages really disappear, when the key used to sign the
message
isn't sent to the key servers {:.
Those who need to know, know.
You, I've never seen before. Even if you found my key
--
James A. Donald:
I intended to sign this using Network Associates command
line pgp, [6.5.8]only to discover that pgp -sa file
produced unintellible gibberish, that could only be made
sense of by pgp, so that no one would be able to read it
without first checking my signature.
at Monday, September 30, 2002 7:52 PM, James A. Donald
[EMAIL PROTECTED] was seen to say:
Is it practical for a particular group, for
example a corporation or a conspiracy, to whip up its own
damned root certificate, without buggering around with
verisign? (Of course fixing Microsoft's
An interesting tidbit in the September Information Security Bulletin
is the claim from MessageLabs that only .005% of the mail they saw in
2002 is encrypted, up from .003% in 2000. (MessageLabs is an
outsourcing email anti-virus company.)
At this thrilling rate of growth, it will be on the order
On Saturday 02 November 2002 12:09, Adam Shostack wrote:
An interesting tidbit in the September Information Security Bulletin
is the claim from MessageLabs that only .005% of the mail they saw in
2002 is encrypted, up from .003% in 2000.
... Last month, about
5% of my email was sent PGP
Peter wrote [about the benefits of STARTTLS]:
As opposed to more conventional encryption, where you're
protecting nothing at any point along the chain, because
99.99% of the user base can't/won't use it. In any case most
email is point-to-point, which means you are protecting the
entire
at Tuesday, October 01, 2002 3:08 AM, Peter Gutmann
[EMAIL PROTECTED] was seen to say:
For encryption, STARTTLS, which protects more mail than all other
email encryption technology combined. See
http://www.cs.auckland.ac.nz/~pgut001/pubs/usenix02_slides.pdf
(towards the back).
I would dispute
There have been episodes of spoofing on this list. If client
side encryption just worked, and if what is considerably more
difficult, checking the signatures just worked, there would
be no bother, hence it would be rational to sign
Not just work but opt out is what you are looking for. If
There have been episodes of spoofing on this list. If client
side encryption just worked, and if what is considerably more
difficult, checking the signatures just worked, there would
be no bother, hence it would be rational to sign
Not just work but opt out is what you are looking for. If
Ben Laurie wrote:
On Fri, Oct 04, 2002 at 01:07:50PM -0700, Major Variola (ret) wrote:
At 04:45 PM 10/3/02 -0700, James A. Donald wrote:
--
James A. Donald wrote:
If we had client side encryption that just works we would
be seeing a few more signed messages on this list,
Ben Laurie
At 04:45 PM 10/3/02 -0700, James A. Donald wrote:
--
James A. Donald wrote:
If we had client side encryption that just works we would
be seeing a few more signed messages on this list,
Ben Laurie wrote:
Why would I want to sign a message to this list?
Then all the people who read this
On Fri, Oct 04, 2002 at 01:07:50PM -0700, Major Variola (ret) wrote:
At 04:45 PM 10/3/02 -0700, James A. Donald wrote:
--
James A. Donald wrote:
If we had client side encryption that just works we would
be seeing a few more signed messages on this list,
Ben Laurie wrote:
Why
James A. Donald:
If we had client side encryption that just works we
would be seeing a few more signed messages on this list,
Major Variola (ret):
But Ben is not spoofed here! So there is little motivation.
[...]
In the absence of any need, its not rational to bother.
There have
Adam Shostack wrote:
Whats wrong with PGP sigs is that going on 9 full years after I
generated my first pgp key, my mom still can't use the stuff.
Mozilla+enigmail+gpg. It just works.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
There is no limit to
--
James A. Donald wrote:
If we had client side encryption that just works we would
be seeing a few more signed messages on this list, and
those that appear, would actually be checked. Send an
unnecessarily encrypted message to Tim and he will probably
threaten to shoot you.
Ben
--
Adam Shostack wrote:
Whats wrong with PGP sigs is that going on 9 full years
after I generated my first pgp key, my mom still can't use
the stuff.
On 3 Oct 2002 at 17:33, Ben Laurie wrote:
Mozilla+enigmail+gpg. It just works.
If we had client side encryption that just works we
On Thu, Oct 03, 2002 at 11:15:02AM -0700, James A. Donald wrote:
On 3 Oct 2002 at 17:33, Ben Laurie wrote:
Mozilla+enigmail+gpg. It just works.
If we had client side encryption that just works we would be
seeing a few more signed messages on this list, and those that
appear, would
James A. Donald wrote:
--
Adam Shostack wrote:
Whats wrong with PGP sigs is that going on 9 full years
after I generated my first pgp key, my mom still can't use
the stuff.
On 3 Oct 2002 at 17:33, Ben Laurie wrote:
Mozilla+enigmail+gpg. It just works.
If we had client side
Adam Shostack wrote:
Whats wrong with PGP sigs is that going on 9 full years after I
generated my first pgp key, my mom still can't use the stuff.
Mozilla+enigmail+gpg. It just works.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
There is no limit to
--
Adam Shostack wrote:
Whats wrong with PGP sigs is that going on 9 full years
after I generated my first pgp key, my mom still can't use
the stuff.
On 3 Oct 2002 at 17:33, Ben Laurie wrote:
Mozilla+enigmail+gpg. It just works.
If we had client side encryption that just works we
On Thu, Oct 03, 2002 at 11:15:02AM -0700, James A. Donald wrote:
On 3 Oct 2002 at 17:33, Ben Laurie wrote:
Mozilla+enigmail+gpg. It just works.
If we had client side encryption that just works we would be
seeing a few more signed messages on this list, and those that
appear, would
James A. Donald wrote:
--
Adam Shostack wrote:
Whats wrong with PGP sigs is that going on 9 full years
after I generated my first pgp key, my mom still can't use
the stuff.
On 3 Oct 2002 at 17:33, Ben Laurie wrote:
Mozilla+enigmail+gpg. It just works.
If we had client side
--
James A. Donald wrote:
If we had client side encryption that just works we would
be seeing a few more signed messages on this list, and
those that appear, would actually be checked. Send an
unnecessarily encrypted message to Tim and he will probably
threaten to shoot you.
Ben
-BEGIN PGP SIGNED MESSAGE-
at Tuesday, October 01, 2002 9:04 PM, Petro [EMAIL PROTECTED] was
seen
to say:
Well, it's a start. Every mail server (except mx1 and
mx2.prserv.net) should use TLS.
Its nice in theory, but in practice look how long it takes the bulk
of the internet to
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Bill Stewart wrote:
|
| If your organization is an ISP, the risks are letting them
| handle your email at all (especially with currently proposed
| mandatory eavesdropping laws), and STARTTLS provides a
| mechanism for direct delivery that isn't as
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Udhay Shankar N wrote:
| At 10:04 AM 10/2/02 -0500, Jeremey Barrett wrote:
|
| Amusingly, virtually none of them support STARTLS on any other protocol.
| :) IMAP and POP are almost all supported only on dedicated SSL ports
| (IMAPS, POP3S). Argh.
|
|
--On Wednesday, 02 October, 2002 10:54 -0500 Jeremey Barrett
[EMAIL PROTECTED] wrote:
Udhay Shankar N wrote:
| At 10:04 AM 10/2/02 -0500, Jeremey Barrett wrote:
|
| Amusingly, virtually none of them support STARTLS on any other protocol.
| :) IMAP and POP are almost all supported only on
Lucky Green wrote:
I also agree that current MTAs' implementations of STARTTLS are only a
first step. At least in postfix, the only MTA with which I am
sufficiently familiar to form an opinion, it appears impossible to
require that certs presented by trusted parties match a particular hash
--
Once you start using it, it becomes part of hte pattern
by wich other people identify you.
On 2 Oct 2002 at 9:52, David Howe wrote:
Exactly the intention, yes :) Just for the sake of it (anyone
who cares will have seen my signature enough times by now) I
will sign this
On Wed, Oct 02, 2002 at 04:54:54PM +0100, Ben Laurie wrote:
| Lucky Green wrote:
| I also agree that current MTAs' implementations of STARTTLS are only a
| first step. At least in postfix, the only MTA with which I am
| sufficiently familiar to form an opinion, it appears impossible to
| require
James A. Donald wrote:
And PGP tells me signature not checked, key does not meet
validity threshold
what version are you on? ckt never does that - it checks it, and marks the
sig status as good or bad - but obviously marks the key status as invalid
(due to lack of signing) on anyone I don't
Adam Shostack wrote:
On Wed, Oct 02, 2002 at 04:54:54PM +0100, Ben Laurie wrote:
| Lucky Green wrote:
| I also agree that current MTAs' implementations of STARTTLS are only a
| first step. At least in postfix, the only MTA with which I am
| sufficiently familiar to form an opinion, it
On Wed, Oct 02, 2002 at 09:12:47PM +0100, Ben Laurie wrote:
| Adam Shostack wrote:
| On Wed, Oct 02, 2002 at 04:54:54PM +0100, Ben Laurie wrote:
| | Lucky Green wrote:
| | I also agree that current MTAs' implementations of STARTTLS are only a
| | first step. At least in postfix, the only MTA with
Ben wrote:
Lucky Green wrote:
I also agree that current MTAs' implementations of STARTTLS
are only a
first step. At least in postfix, the only MTA with which I am
sufficiently familiar to form an opinion, it appears impossible to
require that certs presented by trusted parties match
David Howe [EMAIL PROTECTED] writes:
at Wednesday, October 02, 2002 3:13 AM, Peter Gutmann
[EMAIL PROTECTED] was seen to say:
As opposed to more conventional encryption, where you're protecting
nothing at any point along the chain, because 99.99% of the user base
can't/won't use it.
That is a
At 09:05 AM 10/01/2002 -0700, Major Variola (ret) wrote:
So yes Alice at ABC.COM sends mail to Bob at XYZ.COM and
the SMTP link is encrypted, so the bored upstream-ISP netops
can't learn anything besides traffic analysis.
But once inside XYZ.COM, many unauthorized folks could
intercept Bob's
at Tuesday, October 01, 2002 6:10 PM, James A. Donald
[EMAIL PROTECTED] was seen to say:
Not so. It turns out the command line is now different in PGP
6.5.8. It is now pgp -sta to clearsign, instead of pgp -sa.
(Needless to say the t option does not appear in pgp -h
*nods*
its in the 6.5
-BEGIN PGP SIGNED MESSAGE-
at Tuesday, October 01, 2002 9:04 PM, Petro [EMAIL PROTECTED] was seen
to say:
Well, it's a start. Every mail server (except mx1 and
mx2.prserv.net) should use TLS.
Its nice in theory, but in practice look how long it takes the bulk of
the
internet to
-BEGIN PGP SIGNED MESSAGE-
at Tuesday, October 01, 2002 9:04 PM, Petro [EMAIL PROTECTED] was
seen
to say:
Well, it's a start. Every mail server (except mx1 and
mx2.prserv.net) should use TLS.
Its nice in theory, but in practice look how long it takes the bulk
of the internet to
I've always been intrigued by the volume of reports which indicate that
when hackers or other outlaws raid a corporate site, the first thing they
do is scan the stored email files of company executives.
Funny, with all the attention focused pushing the user to encrypt email for
transmission,
at Wednesday, October 02, 2002 3:13 AM, Peter Gutmann
[EMAIL PROTECTED] was seen to say:
As opposed to more conventional encryption, where you're protecting
nothing at any point along the chain, because 99.99% of the user base
can't/won't use it.
That is a different problem. if you assume that
Lucky Green wrote:
I also agree that current MTAs' implementations of STARTTLS are only a
first step. At least in postfix, the only MTA with which I am
sufficiently familiar to form an opinion, it appears impossible to
require that certs presented by trusted parties match a particular hash
--
Once you start using it, it becomes part of hte pattern
by wich other people identify you.
On 2 Oct 2002 at 9:52, David Howe wrote:
Exactly the intention, yes :) Just for the sake of it (anyone
who cares will have seen my signature enough times by now) I
will sign this
On Wed, Oct 02, 2002 at 09:12:47PM +0100, Ben Laurie wrote:
| Adam Shostack wrote:
| On Wed, Oct 02, 2002 at 04:54:54PM +0100, Ben Laurie wrote:
| | Lucky Green wrote:
| | I also agree that current MTAs' implementations of STARTTLS are only a
| | first step. At least in postfix, the only MTA with
Adam Shostack wrote:
On Wed, Oct 02, 2002 at 04:54:54PM +0100, Ben Laurie wrote:
| Lucky Green wrote:
| I also agree that current MTAs' implementations of STARTTLS are only a
| first step. At least in postfix, the only MTA with which I am
| sufficiently familiar to form an opinion, it
On Wed, Oct 02, 2002 at 04:54:54PM +0100, Ben Laurie wrote:
| Lucky Green wrote:
| I also agree that current MTAs' implementations of STARTTLS are only a
| first step. At least in postfix, the only MTA with which I am
| sufficiently familiar to form an opinion, it appears impossible to
| require
--
James A. Donald wrote:
And PGP tells me signature not checked, key does not meet
validity threshold
On 2 Oct 2002 at 20:40, Dave Howe wrote:
what version are you on?
pgp 6.5.8 command line version.
The actual problem was that there was no such key in my key
ring, but error
--
On 2 Oct 2002 at 16:19, Adam Shostack wrote:
Whats wrong with PGP sigs is that going on 9 full years after
I generated my first pgp key, my mom still can't use the
stuff.
The fact that your mum cannot use the stuff is only half the
problem. I am a computer expert, a key
On Wed, 2 Oct 2002, Ben Laurie wrote:
Adam Shostack wrote:
On Wed, Oct 02, 2002 at 04:54:54PM +0100, Ben Laurie wrote:
| Lucky Green wrote:
| I also agree that current MTAs' implementations of STARTTLS are only a
| first step. At least in postfix, the only MTA with which I am
|
At 09:05 AM 10/01/2002 -0700, Major Variola (ret) wrote:
So yes Alice at ABC.COM sends mail to Bob at XYZ.COM and
the SMTP link is encrypted, so the bored upstream-ISP netops
can't learn anything besides traffic analysis.
But once inside XYZ.COM, many unauthorized folks could
intercept Bob's
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Bill Stewart wrote:
|
| If your organization is an ISP, the risks are letting them
| handle your email at all (especially with currently proposed
| mandatory eavesdropping laws), and STARTTLS provides a
| mechanism for direct delivery that isn't as
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Udhay Shankar N wrote:
| At 10:04 AM 10/2/02 -0500, Jeremey Barrett wrote:
|
| Amusingly, virtually none of them support STARTLS on any other protocol.
| :) IMAP and POP are almost all supported only on dedicated SSL ports
| (IMAPS, POP3S). Argh.
|
|
On Tue, Oct 01, 2002 at 01:20:28PM +0100, David Howe wrote:
at Tuesday, October 01, 2002 3:08 AM, Peter Gutmann
[EMAIL PROTECTED] was seen to say:
For encryption, STARTTLS, which protects more mail than all other
email encryption technology combined. See
Morlock Elloi wrote...
deleted
In other words, those that need crypto are taken care of, and
in order to gain resources to make sheeple use crypto you
have to become Them, in which case you don't really want
sheeple to use crypto in the first place.
Please do not use the derogatory term
The problem Mr. Howe describes is fundamental, folks:
encryption should be end-to-end even when the endpoints
are functionaries in a company. Because not all employees
are equal.
So yes Alice at ABC.COM sends mail to Bob at XYZ.COM and
the SMTP link is encrypted, so the bored upstream-ISP
James A. Donald [EMAIL PROTECTED] writes:
To the extent that real people are using digitally signed and or encrypted
messages for real purposes, what is the dominant technology, or is use so
sporadic that no network effect is functioning, so nothing can be said to be
dominant?
For encryption,
at Monday, September 30, 2002 7:52 PM, James A. Donald
[EMAIL PROTECTED] was seen to say:
Is it practical for a particular group, for
example a corporation or a conspiracy, to whip up its own
damned root certificate, without buggering around with
verisign? (Of course fixing Microsoft's
at Tuesday, October 01, 2002 3:08 AM, Peter Gutmann
[EMAIL PROTECTED] was seen to say:
For encryption, STARTTLS, which protects more mail than all other
email encryption technology combined. See
http://www.cs.auckland.ac.nz/~pgut001/pubs/usenix02_slides.pdf
(towards the back).
I would
--
James A. Donald:
I intended to sign this using Network Associates command
line pgp, [6.5.8]only to discover that pgp -sa file
produced unintellible gibberish, that could only be made
sense of by pgp, so that no one would be able to read it
without first checking my signature.
The problem Mr. Howe describes is fundamental, folks:
encryption should be end-to-end even when the endpoints
are functionaries in a company. Because not all employees
are equal.
So yes Alice at ABC.COM sends mail to Bob at XYZ.COM and
the SMTP link is encrypted, so the bored upstream-ISP
At 11:52 AM 9/30/02 -0700, James A. Donald wrote:
--
What email encryption is actually in use?
PGP 5-7 on Win95+, using Eudora 3.05
talks to Mac whatever using 2.6.2
Signing is not generally necessary.
The chief barrier to use of outlook's email encryption
Outlook is one of Microsoft's
--
James A. Donald:
I intended to sign this using Network Associates command
line pgp, [6.5.8]only to discover that pgp -sa file
produced unintellible gibberish, that could only be made
sense of by pgp, so that no one would be able to read it
without first checking my signature.
Peter wrote [about the benefits of STARTTLS]:
As opposed to more conventional encryption, where you're
protecting nothing at any point along the chain, because
99.99% of the user base can't/won't use it. In any case most
email is point-to-point, which means you are protecting the
entire
On Mon, Sep 30, 2002 at 12:53:36PM -0700, Joseph Ashwood wrote:
- Original Message -
From: James A. Donald [EMAIL PROTECTED]
The chief barrier to use of outlook's email encryption, aside
from the fact that is broken, is the intolerable cost and
inconvenience of certificate
1 - 100 of 108 matches
Mail list logo