RE: NAI pulls out the DMCA stick
contrary [EMAIL PROTECTED] writes: As long as you obtain your S/MIME certificate from an apporved CA, using an approved payment method and appropriate identification. The only CA-issued certs I've ever used were free, and under a bogus name. Usually I just issue my own. You really need to find a better strawman than this if you want to criticise S/MIME. Peter.
RE: NAI pulls out the DMCA stick
Curt Smith [EMAIL PROTECTED] writes: Certificate Authorities issue certificates complete with CA imposed expiration dates and usage limitations. (I prefer independent systems with unrestricted certificates) So issue your own. Honestly, why would anyone want to *pay* some random CA for this? Certificate Authorities match individuals to keys (Thanks, but no thanks) And PGP doesn't? Anyway, X.509 certs can be as anonymous as PGP keys. Certificate Authorities can revoke certificates at anytime (CA-driven DOS attack) Most implementations ignore revocation, and in any case it's not an issue if you issue your own. Peter.
Re: Joe Sixpack doesn't run Linux
Meyer Wolfsheim [EMAIL PROTECTED] writes: S/MIME support is in just about every popular email client out of the box. Why is PGP more widely used? [Good reasons snipped] Those who care about security [0] use PGP, the rest use S/MIME. To steal a line from Hexed: S/MIME: For people who could care less. Actually it's not even that, it's closer to: Plaintext: For people who could care less. I have yet to exchange an encrypted S/MIME message of any significance with anyone, ever. Even if the other side is using an S/MIME-enabled mailer, we usually end up using PGP even if it means having to try half a dozen different versions to find one which will process the other side's messages. While I'm in a quoting mood, there's also Marshall Rose's comment about X.400 to steal: Two people meet at a conference and exchange email addresses. They get back to their offices and want to communicate securely. If both sides are using PGP x.y.z, they communicate securely. If one side is using PGP x.y.z and the other isn't, they wait for a message and then keep trying different PGP versions until they find one which will process the message. If they aren't using PGP, they communicate in plaintext and hope no-one's listening. (In case that's forwarded or quoted out of context, this is a comment on a social issue, not a software issue). Peter. [0] With the corollary: and aren't government users, S/MIME is used a fair bit in certain areas, it just doesn't get much public exposure.
Mersenne Twister
hi, Does any 1 have a reference to the actual Mersenne Twister algorithm? Thank u. Regards Data. __ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com
Re: Open-Source Fight Flares At Pentagon Microsoft Lobbies Hard Against Free Software
Microsoft also said open-source software is inherently less secure because the code is available for the world to examine for flaws, making it possible for hackers or criminals to exploit them. Proprietary software, the company argued, is more secure because of its closed nature. Presumably the contrast between this and their other recent declaration (that their code is so insecure releasing it would be a national security risk) doesn't occur to them? Or maybe they think the two compliment each other (eg look, our code is so insecure that we can't release it, and we can't believe anyone is any better than us, so theirs must be so insecure it can't be released too)
RE: NAI pulls out the DMCA stick
On Fri, 24 May 2002 17:13:18 +1200 (NZST), Peter Gutmann [EMAIL PROTECTED] said: contrary [EMAIL PROTECTED] writes: As long as you obtain your S/MIME certificate from an apporved CA, using an approved payment method and appropriate identification. The only CA-issued certs I've ever used were free, and under a bogus name. Usually I just issue my own. You really need to find a better strawman than this if you want to criticise S/MIME. Peter. OK, likewise. But I guess my point (if I had one) is that regardless of technical, usage, privacy and trust issues there is also one of linkage between a nym and meatspace. With pgp, it's easy to generate a new keypair, label or sign it anyway I care to, and exchange and use it for a single interaction. Relatively easy. (Joe Sixpack-'O-Bass-Ale) S/MIME certificates (by which I may just mean commercial CA's) seem mostly directed at strong authentication for commerce, and lean heavily toward linking to a credit card, driver's license number, or credential. This is a Good Thing for cryptography and for commerce, but not for 'nymity. Also not for undeclared privacy which is privacy that occurs below the attention threshold and without the permission of the censors. -- contrary [EMAIL PROTECTED] -- Access all of your messages and folders wherever you are! http://fastmail.fm - Get your mail using the web or your email software
Re: Mersenne Twister
On Fri, 24 May 2002, gfgs pedo wrote: hi, Does any 1 have a reference to the actual Mersenne Twister algorithm? Thank u. I've got code posted on the authors web page. Do a web search of Mersenne Twister and you'll get there eventually. Patience, persistence, truth, Dr. mike
MPAA wants all A/D converters to implement copyright protection.
My mind has been boggled, my flabbers have been ghasted. In the name of protecting their business model, the MPAA proposes that every analog/digital (A/D) converter - one of the most basic of chips - be required to check for US government mandated copyright flags. Quite aside from increasing the cost and complexity of the devices many, manyfold, it eliminates the ability of the US to compete in the world electronics market. If this level of ignorance, chuptza, and bloodymindedness had been around a hundred years ago, cars would be forbidden to have a range greater then 20 miles, to protect the railway industry, and transoceanic airline tickets would have a $1000/seat surcharge, to compensate the owners of ocean liners for lost revenue. I know that Tinsletown is based on dreams and fantasies (as well as the violation of Edision's movie patents), but someone needs to sit these people down and teach them the lesson that King Canute taught his nobles. Peter Trei [The above is my personal opinion only. Do not misconstrue it to belong to others.] -- http://slashdot.org/articles/02/05/23/2355237.shtml?tid=97 - start quote - MPAA to Senate: Plug the Analog Hole! Posted by jamie on Friday May 24, 09:30AM from the op-amp dept. A month ago, the MPAA filed its report [PDF][1] with the Senate Judiciary Committee on the terrors of analog copying. I quote: in order to help plug the hole, watermark detectors would be required in -- are you sitting down? -- all devices that perform analog to digital conversions. At their page Protecting Creative Works in a Digital Age[2], the Senate lays out the issues they'll be looking at, including briefs from corporate groups, and provides a comment form[3] so your opinion can be heard as well. As Cory Doctorow writes: this is a much more sweeping (and less visible) power-grab than the Hollings Bill, and it's going forward virtually unopposed. ...the Broadcast Protection Discussion Group is bare weeks away from turning over a veto on new technologies to Hollywood. Doctorow's article on the analog hole[4] for the EFF does a great job of explaining the issues to non-electrical-engineers, and has many thought-provoking examples of how requiring such technology would be a giant step backwards. [1] http://judiciary.senate.gov/special/content_protection.pdf [2] http://judiciary.senate.gov/special/feature.cfm [3] http://judiciary.senate.gov/special/input_form.cfm [4] http://bpdg.blogs.eff.org/archives/000113.html - end quote -
RE: NAI pulls out the DMCA stick
-- On 23 May 2002 at 0:24, Lucky Green wrote: Tell me about it. PGP, GPG, and all its variants need to die before S/MIME will be able to break into the Open Source community, thus removing the last, but persistent, block to an instant increase in number of potential users of secure email by several orders of magnitude. My impression is that S/MIME sucks big ones, because it commits one to a certificate system based on verisign or equivalent. I have been the verisign administrator at several companies, and there is no way that bird will fly. The verisign system is just barely tolerable for identifying authorized web sites and software. For identifying individuals, forget it. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG CXACCdVytBDJ5TDVZ2+IV9xP4c3QRpRxP+JoLBdL 4w44ULlzkb4jKH9nuzpy/Mlxl8CctM+OYZoZEhO8H
Re: Government subsidies: our last, best hope for Cryptanarchy?
You may be asking yourself: where, oh where, has all the crypto gone? Presuming question, as the rest of the article. Crypto is there for all those who want to encrypt, accessible as it was five years ago. And stuff does get encrypted - the real crypto, P2P, not the bogus one between servers in boiler rooms. As for argument that OS upgrade game requires live crypto coders to keep up - that's also bogus. PGP 2.6.3i runs fine on the latest winshit. PGP 2.6.2 runs fine on latest macs. PGP 2.6.2 compiles under linux and freebsd today (unlike 6.* sources) And they are being used by those who need them. What, no shiny UI ? Tough shit. Use plaintext. And shiny UI *did not* make masses use 7.0.3, did it ? Actually, people have machines with 5-6-7 year old OSes ... because they work. Especially in end-user interface applications - text editors, mail clients, telnet/ssh/http, there is no need to upgrade at all. Virus claim is also bogus. That is, unless you you use microsoft stuff with 5 months average life span. You do ? I thought so. Face it, convenient crypto is an exercise in futility. Convenience is positioning end users where they are wanted - bent over, pants down, cleansed by the upgrade enema, ready to receive. ITAR classification was correct, after all. Crypto is arms. Successful crypto distribution and use patterns will follow those for arms. Guess when sheeple will start to use crypto. = end (of original message) Y-a*h*o-o (yes, they scan for this) spam follows: LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com
Re: MPAA wants all A/D converters to implement copyright protection.
On Fri, 24 May 2002, Trei, Peter wrote: My mind has been boggled, my flabbers have been ghasted. Yes. It is not really possible to put into words just how insane this is is it? I'm gonna try to sit down with a senator's aide who's working on this as soon as possible, I think the guys from wisconsin on on the judiciary committee.. -- http://slashdot.org/articles/02/05/23/2355237.shtml?tid=97 - start quote - MPAA to Senate: Plug the Analog Hole! Posted by jamie on Friday May 24, 09:30AM from the op-amp dept. A month ago, the MPAA filed its report [PDF][1] with the Senate Judiciary Committee on the terrors of analog copying. I quote: in order to help plug the hole, watermark detectors would be required in -- are you sitting down? -- all devices that perform analog to digital conversions. At their page Protecting Creative Works in a Digital Age[2], Patience, persistence, truth, Dr. mike
Re: Joe Sixpack doesn't run Linux
The lack of e-mail detailing financial transactions is also the reason many businesses chose not to incur the overhead of secure communications. If there were servers on the internet which automatically displayed all plaintext e-mail messages which passed through them as webpages (for the bored, curious, and opportunistic), THEN everyone would see the value of encrypted e-mail. --- [EMAIL PROTECTED] wrote: ... The big lack of demand for encryption by Joe Sixpack is a result of the lack of financial transactions using the internet between Joe sixpack and Bob sixpack. --digsig James A. Donald = end LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com
Re: Joe Sixpack doesn't run Linux
-- On 23 May 2002 at 10:57, Meyer Wolfsheim wrote: 3. The people who might use it if it is easy. This is Joe Sixpack. This is who you are worrying about, wanting S/MIME to deliver on its promises. This is Templeton is worrying about, wanting opportunistic mail encryption. Joe sixpack is willing and able to make the necessary mental effort if there is money at stake -- which of course there is not. The first recorded use of envelopes in mail was in financial transactions. People would create a clay tablet containing marks representing so many goods of this type, so many goods of another type, bake it, then wrap in another clay envelope, and bake that. Right now Joe Sixpack relies on the widely shared secret of his credit card number, and that sharing worries him more than somewhat. Problems resulting from that sharing are dealt with by the credit card company's arbitration facitilities, which cost him, the card company, and the merchant dearly. The big lack of demand for encryption by Joe Sixpack is a result of the lack of financial transactions using the internet between Joe sixpack and Bob sixpack. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG GLOU6WqBTbh5/1XBintStENCsUIWt7tnZNUrmtbZ 4ydGcwGiWOaRxYAIjlkIr8jUnEMBYpo4PElVUT14t
Re: why OpenPGP is preferable to S/MIME (Re: NAI pulls out the DMCA stick)
-- On 23 May 2002 at 21:58, Adam Back wrote: This won't achieve the desired effect because it will just destroy the S/MIME trust mechanism. S/MIME is based on the assumption that all CAs are trustworthy. Anyone can forge any identity for clients with that key installed. S/MIME isn't really compatible with the web of trust because because of the two tier trust system -- all CAs are assumed trustworthy and all users are not able to sign anything. Or to say the same thing in slightly different words, all CAs are perfectly and equally trustworthy, and all users are untrustworthy. This system is inherently authoritarian. Because that authority must be restricted for it to be useful, it is inherently a pain in the ass to administer, with inherently high administrative costs. Like socialism, S/MIME results in bureacracy, delay, expense, and inefficiency. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG USL5cv1ggEyWtLV5o70QlHagEAxDOVzR+aGoGJyG 4r/H3bXgCwZ3aRF4U6H7Adat9jD9PjCxb1FPSgQpk
Re: NAI pulls out the DMCA stick
On Fri, May 24, 2002 at 12:07:48PM -0700, Curt Smith wrote: While we are on the subject of issuing your own X.509 certificates: 1. How do you create a X.509 signing hierarchy? Do a web search on openssl certificate authority. 2. Can you add additional algorithms (ie. Twofish)? Yes, if the libraries you use support them. Note that twofish, being a symetric algorithm, would not be used in certificates. Public key and hashes only. 3. Is a relavent developer reference is available for X.509? X.509 is an ITU/T standard, which means, among other things, that they charge money for copies. You can find copies on the net though. Being ITU/T also means that the standard is written in a format and style that is designed to be incomprehensible as possible. This keeps the professional meeting-goers who write these things from having to search for honest work. The documents get progressively less understandable over time, so its best to start with the 1988 version. PKCS#6 explains X.509 as well and is easier to understand. Peter Gutman's X.509 Style Guide is quite comprehsnsible and also pretty funny after you have spent time trying to decipher X.509 or any other X.whatever standard. Peter also has a neat utility called dumpasn.1 which you will want if you start diddling X.509 certs. Openssl is probably the most common library for doing cert stuff these days. Unfortunately the docs for Openssl are pretty much non-existent and the ASN.1 code is particularly difficult to understand. Eric
Re: Joe Sixpack doesn't run Linux
At 12:21 PM 5/24/02 -0700, Curt Smith wrote: If there were servers on the internet which automatically displayed all plaintext e-mail messages which passed through them as webpages (for the bored, curious, and opportunistic), THEN everyone would see the value of encrypted e-mail. Hmm, didn't Sircam do a bit of that? But it sent files, not your entire mail spool; and it didn't try too hard to broadcast (it could have always forwarded a copy to usenet in addition to your contacts). Not sure if disk-encryption would have helped; it just would have sent one of the open (cleartext) files. Sircam forwarding a saved, encrypted email would have been harmless modulo traffic analysis. To encourage WiFi encryption you could use a high-gain antenna and anonymously (re) broadcast traffic you found. And publicize the site. Don't do this too early during deployment or you'll stunt the early growth.
S/MIME and web of trust (was Re: NAI pulls out the DMCA stick)
On Fri, May 24, 2002 at 11:17:08AM -0700, [EMAIL PROTECTED] wrote: -- On 23 May 2002 at 0:24, Lucky Green wrote: Tell me about it. PGP, GPG, and all its variants need to die before S/MIME will be able to break into the Open Source community, thus removing the last, but persistent, block to an instant increase in number of potential users of secure email by several orders of magnitude. My impression is that S/MIME sucks big ones, because it commits one to a certificate system based on verisign or equivalent. It uses X.509, which is supposed to be a hierarchical certificate system. Verisign is just the dominant X.509 CA. But as others have pointed out, its possible to become one's own X.509 CA and issue oneself certs. Netscape and IE browsers will accept certs from completely made up CAs. You might have to click on a few do you really want to do this dialog boxes but that's it. All you need is a copy of Openssl and directions off a web site.. Additionally, there is nothing that prevents one from issuing certs that can be used to sign other certs. Sure, there are key usage bits etc but its possible to ignore them. It should be possible to create a PGP style web of trust using X.509 certs, given an appropriate set of cert extensions. If Peter can put a .gif of his cat in an X.509 cert there's no reason someone couldn't represent a web of trust in it. Each user would self-sign their cert. Or self-sign a CA cert and use that to sign a cert, same thing. Trust would be indicated by (signed) cert extensions that indicate I trust Joe Blow X amount as a signer of keys. Each time you added a trust extension you would generate a new cert using the same key. Each trust extension would indicate the entity, their key id (hash of public key), and the degree of trust. When you added a trust extension you'd give a copy of the enw cert to the entity you just added. They can then append these certs onto their cert when they authenticate to someone. When authenticating, you verify the other guys cert, something he signed with his private key, then all the other people's certs that he sends in addition to his own, all of which attest to his trustworthiness. Ideally, you also trust some of the same people, so you now have their signed statements attesting to a degree of trust in the new guy. [note, there's probably a conceptal flaw in this since I'm loopy from allergy drugs today and probably not thinking as clearly as I think I am, so be polite when you point out my error. In any case, the point is that its possible to do a web of trust in x.509, not that I have a fully formed scheme for implementing it] Since all this is in X.509, S/MIME MTAs accept it (unless they are programmed to not accept self-signed CAs, in which case your MTA is a slave to Verisign et. al). You'd need an external program to verify the web of trust, but that's about it. And to be honest, exactly zero of the PGP exchanges I have had have actually used the web of trust to really verify a PGP key. I've only done it in testing. In the real world, I either verify out of band (i.e. over the phone) or don't bother if the other party is too clueless to understand what I want to do and getting them to do PGP at all has already exausted my paticnce. But why bother? Even if I could do this X.509 web of trust tomorrow, no one besides a few crypto-geeks would use it. People just don't give a shit about other people reading their email. Most people can't even be bothered to use a decent password or shred their credit-card statements. Only criminals have anything to hide, right? -- Eric
