Anders Rundgren wrote:
Michael Ströder wrote:
That there should be as you claim mainly a "UI problem" is an opinion
that has some support in the literature ("Jonny can't encrypt"),
but I feel that it is much deeper than that; security should probably
as in the case of Skype be transparent, not n
Michael Ströder wrote:
>> That there should be as you claim mainly a "UI problem" is an opinion
>> that has some support in the literature ("Jonny can't encrypt"),
>> but I feel that it is much deeper than that; security should probably
>> as in the case of Skype be transparent, not needing any UI
On 12/05/2008 12:56 PM, Eddy Nigg:
In this respect, Globalsign might implement it exactly in the same way.
We might however ask them or read their CPS instead.
I had another look at http://www.globalsign.com/support/csr/autocsr.html
and apparently they aren't sending the PKCS12 file by email
On 12/04/2008 02:49 PM, Ian G:
Telephony was provided to the masses and it's inherently insecure.
Skype provided VoIP to the masses. And it was secure.
You keep claiming it and I tell you that it's not. Of course we can
continue forever here. But it doesn't come close to the same security
On 12/05/2008 11:38 AM, Rob Stradling:
It's considered a very bad practice I think.
Eddy, could you expand on this point?
I don't think WebTrust prohibits CAs from generating/retaining private keys
for users.
Retaining the private keys of users requires a key escrow service,
reasonable prot
On Wednesday 03 December 2008 12:22:19 Eddy Nigg wrote:
> On 12/02/2008 08:16 PM, Ian G:
> > Right, CAs won't have the private keys, unless they do. I imagine a
> > corporate CA can do what it likes, and doesn't need the consent of the
> > user.
>
> Sure, but they aren't in my list of CA roots.
>
>
Graham Leggett wrote:
I think you're missing the point I am trying to make. The addition of
SNI is a worthy feature to be added to httpd, ...
I think this is one of the biggest problems. Superficially, it is easy
to think of SNI as a feature enhancement. Instead, it is a security bug
fix t
Eddy Nigg wrote:
On 12/04/2008 01:04 PM, Graham Leggett:
httpd v2.3.0-alpha is to be tagged soon, which means SNI will start
being available in a release very soon, and SNI will start getting some
attention from end users.
Just to reiterate, that the missing SNI support has been a pain for a
Eddy Nigg wrote:
On 12/02/2008 08:04 PM, Ian G:
Eddy Nigg wrote:
In case of Skype they are the software vendor and control the
software, the issuing instance and also the user
Right, they do everything. One advantage for today: in the case of Skype
we (the user) only have to pay for one organ
Eddy Nigg wrote:
Just to reiterate, that the missing SNI support has been a pain for a
huge number of web site operators needing to buy additional IP addresses
for every secured web site.
StartCom Linux released yesterday a patched version of Apache with SNI
support (on the AS-5.0.2 release)
On 12/04/2008 01:04 PM, Graham Leggett:
httpd v2.3.0-alpha is to be tagged soon, which means SNI will start
being available in a release very soon, and SNI will start getting some
attention from end users.
Just to reiterate, that the missing SNI support has been a pain for a
huge number of web
Kaspar Brand wrote:
If you're too tired to do this, then just wait until httpd v2.4 is
released, as the patch is on trunk.
That reflects the status of the code as of April 2008, and doesn't
include any of the later improvements. But if the key httpd people
aren't willing to invest time in revi
Graham Leggett wrote:
> The way the process works is that you have to shepherd the patch through
> all the way until all the issues are resolved. And if someone raises
> an issue, don't assume that time will magically appear in their diary to
> fix your patch for you, that is your job.
I'm gett
On Sun, Nov 30, 2008 at 5:38 AM, Michael Ströder <[EMAIL PROTECTED]> wrote:
>> Sure there's ultimate trust.
>
> I disagree. You are making trust decision only in a certain context.
>
> To avoid getting too philosophical a PKI-related example: You would trust
> your employer to issue certs for encry
Kaspar Brand wrote:
And you've kept chasing this issue up on the dev list?
Graham, I'm getting tired of this conversation. Of course I brought up
SNI repeatedly on httpd-dev - in January, April, June, and August. But
if the feedback on the list is almost zero with each additional attempt,
then
Kaspar Brand wrote:
And you've kept chasing this issue up on the dev list?
Graham, I'm getting tired of this conversation. Of course I brought up
SNI repeatedly on httpd-dev - in January, April, June, and August. But
if the feedback on the list is almost zero with each additional attempt,
then
> And you've kept chasing this issue up on the dev list?
Graham, I'm getting tired of this conversation. Of course I brought up
SNI repeatedly on httpd-dev - in January, April, June, and August. But
if the feedback on the list is almost zero with each additional attempt,
then I'm losing interest i
Kaspar Brand wrote:
I'm quite familiar with that file, thanks for the pointer. Perhaps you
should have a look at
http://mail-archives.apache.org/mod_mbox/httpd-dev/200806.mbox/[EMAIL PROTECTED]
and
http://mail-archives.apache.org/mod_mbox/httpd-dev/200810.mbox/[EMAIL PROTECTED]
before advisi
Graham Leggett wrote:
> The authoritative status of the httpd-2.2 backport is in the STATUS file
> in the httpd v2.2 branch, and that currently says this:
I'm quite familiar with that file, thanks for the pointer. Perhaps you
should have a look at
http://mail-archives.apache.org/mod_mbox/httpd-d
Ian G wrote:
(Client side certs are a lot more ready for mass-deployment than S/MIME
ones, but still have their foibles. One thing I discovered was that if
you have multiple certs, the KCM is not so well developed in Firefox. It
works if set to "choose-by-self," in which case we don't know whi
Kaspar Brand wrote:
Not really true, actually... for a fuller version of the story, see e.g.
The authoritative status of the httpd-2.2 backport is in the STATUS file
in the httpd v2.2 branch, and that currently says this:
Backport version for 2.2.x of updated patch:
http://pe
Graham Leggett wrote:
> My understanding is that SNI is supported in httpd-trunk, soon to become
> httpd v2.3.0. The people who created the patch apparently didn't make it
> compatible with httpd v2.2, and it has blocked its backport.
Not really true, actually... for a fuller version of the stor
On 12/02/2008 08:16 PM, Ian G:
Right, CAs won't have the private keys, unless they do. I imagine a
corporate CA can do what it likes, and doesn't need the consent of the
user.
Sure, but they aren't in my list of CA roots.
And if my CA says "we
got your private keys", then you have the choice
On 12/02/2008 08:04 PM, Ian G:
Eddy Nigg wrote:
In case of Skype they are the software vendor and control the
software, the issuing instance and also the user
Right, they do everything. One advantage for today: in the case of Skype
we (the user) only have to pay for one organisation. In the ca
On 12/02/2008 07:53 PM, Ian G:
(Client side certs are a lot more ready for mass-deployment than S/MIME
ones, but still have their foibles. One thing I discovered was that if
you have multiple certs, the KCM is not so well developed in Firefox. It
works if set to "choose-by-self," in which case we
Ian G wrote:
Albeit, only to those interested in SSL certs. Conceivably this would
be made a lot more fluid if Apache were to release TLS/SNI, and to a
lesser extent, Microsoft's IIE.
My understanding is that SNI is supported in httpd-trunk, soon to become
httpd v2.3.0. The people who creat
Eddy Nigg wrote:
On 11/29/2008 02:37 PM, Eddy Nigg:
Which they are indeed permitted to do, as long as they state that in
their procedures, and their auditor agrees that they have met criteria.
Eddy, other than your need to be colourful, what was the point you were
trying to make?
Well, CAs M
Eddy Nigg wrote:
On 11/29/2008 01:23 PM, Ian G:
Eddy Nigg wrote:
On 11/27/2008 01:22 PM, Ian G:
How do we know whether the keys are managed properly? Good question!
Well, it's a closed architecture & codebase, but it has been
audited, so
it bears comparison to any CA which operates a closed/
Frank Hecker wrote:
Eddy Nigg wrote:
Getting a certificate happens at some CAs already during the
registration process (cough, cough).
This is an interesting point, which I think supports at least some of
Ian's arguments. What you've done is to provide a real incentive for
users to get clien
On 12/01/2008 06:57 AM, Frank Hecker:
Eddy Nigg wrote:
Getting a certificate happens at some CAs already during the
registration process (cough, cough).
This is an interesting point, which I think supports at least some of
Ian's arguments. What you've done is to provide a real incentive for
us
Eddy Nigg wrote:
Getting a certificate happens
at some CAs already during the registration process (cough, cough).
This is an interesting point, which I think supports at least some of
Ian's arguments. What you've done is to provide a real incentive for
users to get client certificates, certi
On 11/30/2008 04:32 PM, Ian G:
OK, so would you agree that this is not very useful for the non-company
people, like yours and my mum?
Please note that you are agreeing here with yourself. The lack of
contributions to the thread doesn't mean that there is silent agreement
to what you say.
Ian G wrote:
Michael Ströder wrote:
The root cause is that protecting e-mails is not enforced/endorsed
within companies even if they have a working infrastructure. The lack of
training is the consequence of this.
OK, so would you agree that this is not very useful for the non-company
people
For me, the purpose of this debate is finding out what users can expect
from Mozilla by way of security. For the purpose of this question, we
see below that users can be divided into corporate users and individuals.
Michael Ströder wrote:
Ian G wrote:
Well, strange...
sure, snipping this.
Kyle Hamilton wrote:
First off: User training is arguably more technical than computer
infrastructure. You can't simply say "they were simply not teached
[sic]" and "that's a non-technical problem",
Let me rephrase: The decision whether users are teached is a business
decision since budget ha
On 11/30/2008 01:47 PM, Ian G:
Eddy Nigg wrote:
(I'm certain that CAs like Godaddy do that routinely) [*].
[*] I'm certain that there are some on this list which can confirm
that statement from personal experience.
I use Godaddy for some domains. I don't think they have ever sent me an
em
On 11/30/2008 01:47 PM, Ian G:
Eddy Nigg wrote:
(I'm certain that CAs like Godaddy do that routinely) [*].
[*] I'm certain that there are some on this list which can confirm
that statement from personal experience.
I use Godaddy for some domains. I don't think they have ever sent me an
em
Eddy Nigg wrote:
(I'm certain that CAs
like Godaddy do that routinely) [*].
[*] I'm certain that there are some on this list which can confirm that
statement from personal experience.
I use Godaddy for some domains. I don't think they have ever sent me an
email except for the purpose of
On 11/30/2008 01:09 AM, Kyle Hamilton:
Kyle, I must say that I found this particular message highly
interesting! Allow me to respond only on some subjects you've touched
which were of particular interest to me...
This is why I've been in favor of unobtrusive pop-ups (rather like
Growl not
Kyle Hamilton wrote:
I'd rather ask this question: "What do the users need that can have
partial or total solutions implemented using the technologies that
have been developed?"
Right, good question. I have three partial answers:
* if a standards protocol, Mozilla is interested in implemen
On Sat, Nov 29, 2008 at 3:20 AM, Ian G <[EMAIL PROTECTED]> wrote:
>
>
>
>> The sad thing is: The users, in this case my project colleagues, sometimes
>> do not know how to use the existing S/MIME infrastructure although they
>> enrolled during a user registration process and they already have eve
Ian G wrote:
Michael Ströder wrote:
Anders Rundgren wrote:
Michael Ströder wrote:
>
I can offer a counterpoint: a recent well-thought-out project to do
something similar started out with S/MIME, and concluded that S/MIME
should be optional because it is brittle,
The phrase "because it is b
On 11/29/2008 02:37 PM, Eddy Nigg:
Which they are indeed permitted to do, as long as they state that in
their procedures, and their auditor agrees that they have met criteria.
Eddy, other than your need to be colourful, what was the point you were
trying to make?
Well, CAs MUSTN'T have privat
On 11/29/2008 01:23 PM, Ian G:
Eddy Nigg wrote:
On 11/27/2008 01:22 PM, Ian G:
How do we know whether the keys are managed properly? Good question!
Well, it's a closed architecture & codebase, but it has been audited, so
it bears comparison to any CA which operates a closed/audited procedure.
Eddy Nigg wrote:
On 11/27/2008 01:22 PM, Ian G:
How do we know whether the keys are managed properly? Good question!
Well, it's a closed architecture & codebase, but it has been audited, so
it bears comparison to any CA which operates a closed/audited procedure.
Bullshit! That's about the sam
Michael Ströder wrote:
Anders Rundgren wrote:
Michael Ströder wrote:
Ian G wrote:
* it has no open + effective key distribution mechanism. (I exclude
the LDAP stuff as that is generally for internal / corporates, and is
not a general solution for the users.)
Just exchanging signed S/MIME
Anders Rundgren wrote:
Michael Ströder wrote:
Ian G wrote:
* it has no open + effective key distribution mechanism. (I exclude
the LDAP stuff as that is generally for internal / corporates, and is
not a general solution for the users.)
Just exchanging signed S/MIME e-mails is quite easy f
Michael Ströder wrote:
>Ian G wrote:
>> * it has no open + effective key distribution mechanism. (I exclude
>> the LDAP stuff as that is generally for internal / corporates, and is
>> not a general solution for the users.)
>Just exchanging signed S/MIME e-mails is quite easy for most users. The
On 11/27/2008 01:22 PM, Ian G:
How do we know whether the keys are managed properly? Good question!
Well, it's a closed architecture & codebase, but it has been audited, so
it bears comparison to any CA which operates a closed/audited procedure.
Bullshit! That's about the same as CAs keeping c
Eddy Nigg wrote:
On 11/26/2008 05:30 PM, Ian G:
Well, I don't see that. PGP and Skype both offer authenticated +
confidential messages, without the "certificate" side of things.
LOL, and how exactly? Or better, how can I validate that? Specially in
the case of skype, we don't even know where
Anders Rundgren wrote:
It seems that you don't believe much in technical solutions as
enablers.
In fact I do. But still there are non-technical issues to be solved for
which no technical solution exist. And I think that steadily inventing
new standards is not a solution for establishing a t
odel.
I don't expect a reply on this because it will anyway take some five years or
so to figure out if the above is correct or not.
Anders
- Original Message -
From: "Michael Ströder" <[EMAIL PROTECTED]>
Newsgroups: mozilla.dev.tech.crypto
To:
Sent: Wedn
On 11/26/2008 05:30 PM, Ian G:
Well, I don't see that. PGP and Skype both offer authenticated +
confidential messages, without the "certificate" side of things.
LOL, and how exactly? Or better, how can I validate that? Specially in
the case of skype, we don't even know where those keys reside,
Ian G wrote:
PGP and Skype both offer authenticated +
confidential messages, without the "certificate" side of things. They
do it conceptually by tightly binding the keys to the user, and having
each user authenticate their handles directly to each other.
Well, there has to be a persistent s
Anders Rundgren wrote:
I'm looking for a system that offers authenticated and confidential
messaging which would among things include mobile phone voice messaging.
If such system would require users to trust certificates and stuff, it will
fail.
Our current only alternative is the trusted prov
On 11/26/2008 10:27 AM, Anders Rundgren:
I'm looking for a system that offers authenticated and confidential
messaging which would among things include mobile phone voice messaging.
You also might want to look into http://openid.net/
I expect OpenID to deployed as a form of authentication almos
From: "Michael Ströder" <[EMAIL PROTECTED]>
Newsgroups: mozilla.dev.tech.crypto
To:
Sent: Tuesday, November 25, 2008 21:52
Subject: Re: Creating a Global User-level CA/Trust Infrastructure
forSecureMessaging
Anders Rundgren wrote:
I want each organization/domain entity t
tive because
it doesn't seem to require end-users "trusting" anything than their provider.
Anders
- Original Message -
From: "Michael Ströder" <[EMAIL PROTECTED]>
Newsgroups: mozilla.dev.tech.crypto
To:
Sent: Tuesday, November 25, 2008 21:52
Subject: Re: Creati
58 matches
Mail list logo
