Kyle Hamilton wrote, On 2008-12-24 08:39:
> On Wed, Dec 24, 2008 at 4:25 AM, Ian G wrote:
>> PS: on an earlier comment, check this out:
>>
>> http://blogs.technet.com/mmpc/archive/2008/11/06/malware-and-signed-code.aspx
>>
>> This is, IMHO, the sort of work that Mozilla should be treating as more
On Wed, Dec 24, 2008 at 4:25 AM, Ian G wrote:
> PS: on an earlier comment, check this out:
>
> http://blogs.technet.com/mmpc/archive/2008/11/06/malware-and-signed-code.aspx
>
> This is, IMHO, the sort of work that Mozilla should be treating as more
> important than today's case, because it evidenc
On 12/24/2008 3:36 AM, Ian G wrote:
> Hi David,
>
> On 24/12/08 02:23, David E. Ross wrote:
> {long diatribe by iang on liability snipped}
>
>> See the thread "Unbelievable" in this newsgroup.
>>
>> Now we have the situation in which Comodo allowed third-party CAs under
>> its root to issue site
On 24/12/08 12:36, Ian G wrote:
Hi David,
I would expect that Comodo would say that their RPA sets the scene, the
baseline. I found this:
http://www.comodo.com/repository/
http://www.comodo.com/repository/docs/relying_party.html
Now, this might not be the right doc. But, let's assume it is, for
Hi David,
On 24/12/08 02:23, David E. Ross wrote:
{long diatribe by iang on liability snipped}
See the thread "Unbelievable" in this newsgroup.
Now we have the situation in which Comodo allowed third-party CAs under
its root to issue site certificates without proper authentication of the
subsc
On 12/18/2008 2:09 PM, Ian G wrote:
> On 18/12/08 18:25, Anders Rundgren wrote:
>> CA liability has been focused on the RP since it an RP that "trusts" a CA
>> and its certificates, right?
>
>
> Um!
>
> If one takes a PKI view, then there exist 3 main parties: CA, RP,
> Subscriber. However ot
On 18/12/08 18:25, Anders Rundgren wrote:
CA liability has been focused on the RP since it an RP that "trusts" a CA
and its certificates, right?
Um!
If one takes a PKI view, then there exist 3 main parties: CA, RP,
Subscriber. However other views exist. Liabiliy is an issue at law (in
th
Honestly, a single disgruntled employee can already send "fully
authorized" POs all over the map, as it stands right now.
That's what Sarbanes-Oxley is supposed to address -- it requires
internal auditing on a constant, continual basis.
And remember... a key can be its own identity. The Freenet
On 19/12/08 05:57, Kyle Hamilton wrote:
Self-help chat message boards are a rather odd concern,
Not sure what you mean by "odd" ? Social networking is all the rage.
and they're
actually where I want to try to put PKI. The "problem" as far as it
goes is this: I want to put PKI there. I D
On Thu, Dec 18, 2008 at 7:29 AM, Ian G wrote:
> On 18/12/08 12:09, Kyle Hamilton wrote:
>>
>> Eddy's gone ahead and sent a signed PDF, according to a later message
>> in-thread. I expect that it'll work without a hitch, though I would
>> like to hear of any anomalous behavior. :)
>>
>> But, I'm s
On 12/18/2008 10:16 PM, Ian G:
It is truly basic, it is how business works.
Your assumptions are a non-starter for me. Having worked myself in
various organizations from small and to big (1000+), what you suspect is
completly foreign to me, not common practice for IT personnel (in
particula
On 18/12/08 17:47, Eddy Nigg wrote:
On 12/18/2008 05:29 PM, Ian G:
Hopelessly unreliable, in my opinion. Crypto will tell you that someone
with "Kathleen's key" made that PDF, but some time later we might
discover that Kathleen now works for Microsoft. Nobody bothered to
replace the key, becaus
quot;Ian G"
To: "mozilla's crypto code discussion list"
Sent: Thursday, December 18, 2008 17:00
Subject: Re: Publishing CA information documents in PDF format
On 18/12/08 13:20, Anders Rundgren wrote:
> Kyle,
> I fully agree with your conclusions.
> IMO a signature's
On 12/18/2008 05:29 PM, Ian G:
Hopelessly unreliable, in my opinion. Crypto will tell you that someone
with "Kathleen's key" made that PDF, but some time later we might
discover that Kathleen now works for Microsoft. Nobody bothered to
replace the key, because it worked.
Well, I think I start
On 12/18/2008 05:06 PM, Frank Hecker:
You can apparently create signed PDF documents using Adobe Acrobat 9
Standard; Eddy says there are free signing utilities than be used also,
but I don't have references for those right now.
Eddy is using a slightly modified version of this:
http://sourcef
On 12/18/2008 05:15 PM, David E. Ross:
Actually, a digital signature DOES NOT necessarily guard a document from
attack. An attacker might still be able to delete a signed document.
I'm not aware of any PKI solution that protects from deletion. That
would have to be handled properly on the fil
On 18/12/08 13:20, Anders Rundgren wrote:
Kyle,
I fully agree with your conclusions.
IMO a signature's primary function is to provide a mark of authenticity
to something. If the signature is associated with an unknown signer
the value of the signature becomes rather limited.
The Qualified Certi
On 18/12/08 12:09, Kyle Hamilton wrote:
Eddy's gone ahead and sent a signed PDF, according to a later message
in-thread. I expect that it'll work without a hitch, though I would
like to hear of any anomalous behavior. :)
But, I'm struck again by a couple of questions.
Why does everything have
> On Wed, Dec 17, 2008 at 11:14 AM, Frank Hecker
> wrote:
>> Kyle Hamilton wrote:
>>> Actually, the 'threat model' is more related to versioning (via
>>> timestamp) than anything, and to ensure that no malware on my system
>>> (I try to keep it malware-free, obviously, but I also know that just
>
Kyle Hamilton wrote:
Eddy's gone ahead and sent a signed PDF, according to a later message
in-thread. I expect that it'll work without a hitch, though I would
like to hear of any anomalous behavior. :)
It did indeed work without problems. I was able to read the document
successfully with a va
On 12/18/2008 01:09 PM, Kyle Hamilton:
Why does everything have to have an explicit 'threat model' before
cryptography can be applied? In my view, cryptography is useful for
MUCH more than just "protecting against potential attack".
Kile, I think that's correct and the protection/confirmation
ehind this RFC
was "to increase the acceptance of certificates" :-)
Anders
- Original Message -
From: "Kyle Hamilton"
To: "mozilla's crypto code discussion list"
Sent: Thursday, December 18, 2008 12:09
Subject: Re: Publishing CA information documents in PDF
Eddy's gone ahead and sent a signed PDF, according to a later message
in-thread. I expect that it'll work without a hitch, though I would
like to hear of any anomalous behavior. :)
But, I'm struck again by a couple of questions.
Why does everything have to have an explicit 'threat model' before
On 12/17/2008 09:14 PM, Frank Hecker:
Kyle Hamilton wrote:
Actually, the 'threat model' is more related to versioning (via
timestamp) than anything, and to ensure that no malware on my system
(I try to keep it malware-free, obviously, but I also know that just
because I don't think I've been hac
Kyle Hamilton wrote:
Actually, the 'threat model' is more related to versioning (via
timestamp) than anything, and to ensure that no malware on my system
(I try to keep it malware-free, obviously, but I also know that just
because I don't think I've been hacked doesn't mean I haven't been)
modifi
Actually, the 'threat model' is more related to versioning (via
timestamp) than anything, and to ensure that no malware on my system
(I try to keep it malware-free, obviously, but I also know that just
because I don't think I've been hacked doesn't mean I haven't been)
modifies a local copy I make.
On 12/17/2008 06:06 PM, Frank Hecker:
I've asked Kathleen Wilson in future to convert the CA information
documents to PDF format before uploading them to Bugzilla. I've also
converted the information document for S-TRUST to PDF myself, and
uploaded it to bug 370627.
Excellent! I guess Nelson ca
I've asked Kathleen Wilson in future to convert the CA information
documents to PDF format before uploading them to Bugzilla. I've also
converted the information document for S-TRUST to PDF myself, and
uploaded it to bug 370627.
As for digitally signing these PDF documents, I think we need to
28 matches
Mail list logo
