Re: Microsoft COFEE

2008-05-03 Thread Adam Back
I think the point is microsoft is storing passwords rather than salted, iterated hashes of passwords, storing EFS symmetric keys in clear text or lightly obfuscated in LSA keys which is not encrypted, just protected by policy tied to the windows login, and all these insecure things vs say linux loo

RE: Microsoft COFEE

2008-05-03 Thread Alan
> Arshad Noor wrote on 30 April 2008 20:36: > >> It can be "ordered to decrypt system passwords"??? So, I wonder >> what attackers can do with this... > > They can run pwdump, lsadump, samdump, dump the pstore, snarf the SAM, > all > that kind of stuff that is completely routine and everyday. >

Re: Entrust CA, Staat der Netherlanden CA, Proposal

2008-05-03 Thread Eddy Nigg (StartCom Ltd.)
Eddy Nigg (StartCom Ltd.): And have the the affected cross-signing trust bits removed? That should have been "and have the affected signing trust bits cross-removed" :-) -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog:

Re: Entrust CA, Staat der Netherlanden CA, Proposal

2008-05-03 Thread Eddy Nigg (StartCom Ltd.)
Paul Hoffman: There is also a policy question of whether or not Entrust's CPS says what cross-signing means in a way that both we and the auditors can understand. On its face (without having read the documents), I think it sounds pretty shaky to have a CA saying "you can trust that other CA to

Re: Entrust CA, Staat der Netherlanden CA, Proposal

2008-05-03 Thread Paul Hoffman
At 10:48 AM -0400 5/2/08, Frank Hecker wrote: >On Fri, May 2, 2008 at 8:08 AM, Eddy Nigg (StartCom Ltd.) ><[EMAIL PROTECTED]> wrote: >> In comment https://bugzilla.mozilla.org/show_bug.cgi?id=431621#c5 the >> representative of DigiNotar (Kick) notes that their CA root has been >> cross-signed b

Re: Entrust CA, Staat der Netherlanden CA, Proposal

2008-05-03 Thread Eddy Nigg (StartCom Ltd.)
Frank Hecker: (In reply to comment #17 ) > FF2 allowed me to view the page eventually. The affected root is "Entrust.net > Secure Server Certification Authority". Please strip the email trust from this > root for now. Eddy, I think it wou

Re: Entrust CA, Staat der Netherlanden CA, Proposal

2008-05-03 Thread Eddy Nigg (StartCom Ltd.)
I tried to find out about requirements in the Entrust CPS (http://www.entrust.net/CPS/pdf/webcps051404.pdf) however couldn't find any regulation concerning cross-signing. Maybe this is covered in a different document of theirs. However I also couldn't find any regulation concerning S/MIME and