I certainly do - my first SSL cert from Thawte cost a fraction of the $900 an EV SSL certificate costs from them, and required utility bills, bank statements etc to verify my identity.
Identity can, and has, been validated in the same fashion as EV-SSL certificates for a fraction of the price in the past. If they wanted to establish identity they could, and for less than an EV-SSL cert costs at present. In other areas of business, certificates of higher cryptographic strength go for less than $0.04 a cert in bulk. The processing time for a signing system using a modern processor and a HSM is less than 1 second. To maintain the old prices is daylight robbery.
How do you support a cert? They're pretty much set once delivered. Typically that is true. However when we tried an EV-SSL chained certificate, it wouldn't recognize the trust chain and caused all sorts of problems. We tried dealing with the support people, but they were very unhelpful and would only deal with us over email. Since they appeared to be in the UK (and we in the US), it was very frustrating in dealing with them. In the end we gave up and went back to a root certificate. I have has customers having this problem. I only supply higher key strength certificates. Your problem was likely due to the higher key strengths and MAC sizes being unsupported by Windoes/IE. I can throw 2048 RSA, SHA256 cert at firefox and it will validate the chain, but IE will not.
It tends to get even messier if you have ECC certs.
... Revocation - I'm not sure enough customers will have had to deal with that to get enough feedback to make a judgement. I run a small CA for a particular technology. My advice to the manufacturers obtaining certs is "Don't compromise your keys!". Revocation is painful.
They don't want to tell you, but here's what information they made available: http://www.fujitsu.com/global/news/pr/archives/month/2008/20080421-01.html My first guess is that there is an ATA specification for the key management, either published or in the works. Someone should go and check because I won't get around to it today.
TFA is very sniffy about press not being allowed in the technical sessions. As far as I'm concerned they can bloody well stay away for good.
When engineers get together in technical meetings in standards groups, SIGs and the like, they have deep technical and commercial problems to solve that leads to long, difficult, nuanced discussions, all aimed at getting to a solution that will work, get implemented and be commercially feasible.
What no one involved needs is the press sticking their noses in and printing these arguments in the press, dressing them up like some narrative in a thriller. Its happened to me several times and every time, the uninvited journalist got it hopelessly wrong, presenting technical work as interpersonal bickering and being clueless on the technical matters.
Journalists are a pox on standards meetings. They can eff right off.
When the journalists turn up, propose work items on desktop issues and promise not to run away and write up events in some rag, they will have dragged themselves out of the bottom of the barrel.
It's just violence. Nutjobs will take whatever justification they can. They melded both catholicism and nationalism into their worldview. They both count as tribal groupings that foster violence.
>I'll bet neither have the fundie Christians or Islamists done anything directly to harm you and yours. "Nuts" and murder, extortion, false accusations, kidnapping and other activities are worlds apart.
Well the IRA tried to blow up my mother at the Ideal Home Exhibition in Birmingham. She got away unscathed but she saw someone's foot blown off. That's the catholics for you.
Re:Time to ban Microsoft products
on
Gmail CAPTCHA Cracked
·
· Score: 5, Interesting
> A linux desktop O/S is just as insecure technically. Secure from what? Internal or external threats? In the internal case it exhibits better protection from escalation of privilege (than windows, see Sony rootkit for an example). In the external case is affords simpler accounting of the processes laying around.
>The linux (and Apple) desktops are just more secure by the same reason a hut in a small remote village is more secure than an apartment in a big city ghetto - a one room apartment with many locks, metal doors and chains, but where the occupants let in muggers just because they said they were from Ebay.
No, it is more secure for a some applications because less of the network facing executable code needs to run at as high a privilege level.
>They're both not secure. That depends entirely on the threat model you are protecting against. If you want it really secure from the network, take it off the network. If you want it secure from users put it in a locked room and have multi person, multi factor authentication to access it and require dual operator controls so no individual can pull something off unobserved. This is how PKI centers work. If you want a secure online server, you need accounting of the trusted code. The extend to which Windows and Linux compare is quite different for those cases.
>The trick is to NOT have a _one_room_ apartment or hut. You need an "airlock" (sandbox) for your browser (not just rooms for each person).
Or you might document and analyze your threat model first, before protecting against those threats.
Re:I pity the poor astronauts.
on
Kimchi in Space
·
· Score: 1
Ditto. I've been to Korea twice. The Kimchi varied, was never too offensive and I have no memory of it smelling too bad. It didn't make me fart. I think people are making this stuff up.
However there is nothing to compare in nastiness to the icky, squishy, fishy stuff I had to eat at some super classy Seoul restaurant, except maybe the silkworm lavae they sell on the street to kids.
>Why do you believe all devices have and/or will have keyboards now and/or in the future?
I don't, but such devices aren't for doing real work on. They're for making phone calls, listening to MP3 or browsing the internet. They are a waste of space if you want to write a few thousand lines of python.
>Then your mention of CAD is completely irrelevant. CAD requires a great deal of precision and control, and is not likely to be used often even on laptops, let alone the smaller devices. Reading an email, on the other hand, just needs a simple way to manipulate the screen. Who cares if it is a very coarse method of control, as long as it enables me to quickly get to what I want?
I don't consider it to be irrelevant. Mouse gestures in CAD tools are a precursor to the multitouch hand gestures, in that the motion is interpreted by the computer to decide what function you want. People that interact with CAD tools all day has the choice between mouse gestures or the traditional mode of using the mouse to point and the keyboard to select the function to apply at the point. The latter proved much more efficient and mouse gestures didn't become popular.
Similarly, on a laptop with a mouse pad, I'm way more likely to hit ctrl+ to zoom in than mess around with two hands on the pad. It may make sense for keyboardless devices, but such devices are usually not things you do real work on. They are for browsing, listening to music and making phone calls.
Two fingered mouse gestures are a fad that will pass.
Ctrl +, Ctrl - has worked fine for zooming in and out for years.
Various CAD tool vendors tried to get people to use mouse gestures for years, but people stuck with the mouse+keyboard because it is a much more definite form of input.
The disk encryption product being discussed would not pass FIPS-140, yet they claimed the use of AES and implied that this meant it was secure.
The comment "A vendor telling you they use AES is completely and utterly worthless, and always has been. It's a nice buzzword people like to use." carries a lot of truth. A vendor that knows what they are doing will know what to tell another security expert sufficient to convince him of the security of the system or algorithms. This would typically include the key management functions, data encryption functions, data integrity functions and compliance to specifications such as FIPS-140.
No. I don't trust them. The security comes through the use of air-gapping (no network connection), HSMs (Hardware Security Modules) and the access and use procedures. The OS is Linux, but that is not what determines the security of the system.
>There are other places where other network standards have heavily borrowed from DOCSIS.
Yes, 802.16 borrowed PKM (Privacy and Key Management) from DOCSIS. It was such a pile of poo that we had to throw it out and write PKMv2 to make it secure.
>If you can't do a bare metal reinstall without reading a 42 digit number over the phone to somebody in India their licencing confusion is barely relevant in a serious computing environment.
It's a complete show stopper when installing in an air-gapped secure room holding the root keys for a certificate authority. The place is RF shielded, no wires enter the room except the well armored power supply, no cell phones or other comms equipment are permitted.
Identity can, and has, been validated in the same fashion as EV-SSL certificates for a fraction of the price in the past. If they wanted to establish identity they could, and for less than an EV-SSL cert costs at present. In other areas of business, certificates of higher cryptographic strength go for less than $0.04 a cert in bulk. The processing time for a signing system using a modern processor and a HSM is less than 1 second. To maintain the old prices is daylight robbery.
It tends to get even messier if you have ECC certs.
... Revocation - I'm not sure enough customers will have had to deal with that to get enough feedback to make a judgement. I run a small CA for a particular technology. My advice to the manufacturers obtaining certs is "Don't compromise your keys!". Revocation is painful.>They have cheap 128-bit cert that have Root in almost all browsers.
Usually they are 1024 bit RSA with SHA-1 signing (80 bit). These are deprecated by NIST for use past 2010.
MS don't support SHA-256 signatures in XP, until SP3, which explains some of the delay in rolling out stronger roots.
How do you support a cert? They're pretty much set once delivered.
1) You make a cert request. Pay Money.
2) They verify your identity.
3) They sign your cert request and return it as a signed cert.
It's not like you can upgrade a v3 cert to v3.1.
Performing encryption in hardware encrypts multiple bytes per cycle and takes none of the CPU's time since it is done on the disk's chips.
>really? When was last time that something "that will work, get implemented and be commercially feasible" came out of some meeting?
Several standards beginning in 802.
TFA is very sniffy about press not being allowed in the technical sessions. As far as I'm concerned they can bloody well stay away for good.
When engineers get together in technical meetings in standards groups, SIGs and the like, they have deep technical and commercial problems to solve that leads to long, difficult, nuanced discussions, all aimed at getting to a solution that will work, get implemented and be commercially feasible.
What no one involved needs is the press sticking their noses in and printing these arguments in the press, dressing them up like some narrative in a thriller. Its happened to me several times and every time, the uninvited journalist got it hopelessly wrong, presenting technical work as interpersonal bickering and being clueless on the technical matters.
Journalists are a pox on standards meetings. They can eff right off.
When the journalists turn up, propose work items on desktop issues and promise not to run away and write up events in some rag, they will have dragged themselves out of the bottom of the barrel.
The Verizon trucks and workmen digging holes was a pretty reliable sign where I live.
They are code names, not product names.
Intel has a rich collection of silly code names.
>IRA violence is political, not religious.
It's just violence. Nutjobs will take whatever justification they can. They melded both catholicism and nationalism into their worldview. They both count as tribal groupings that foster violence.
>I'll bet neither have the fundie Christians or Islamists done anything directly to harm you and yours. "Nuts" and murder, extortion, false accusations, kidnapping and other activities are worlds apart.
Well the IRA tried to blow up my mother at the Ideal Home Exhibition in Birmingham. She got away unscathed but she saw someone's foot blown off. That's the catholics for you.
> A linux desktop O/S is just as insecure technically.
Secure from what? Internal or external threats? In the internal case it exhibits better protection from escalation of privilege (than windows, see Sony rootkit for an example). In the external case is affords simpler accounting of the processes laying around.
>The linux (and Apple) desktops are just more secure by the same reason a hut in a small remote village is more secure than an apartment in a big city ghetto - a one room apartment with many locks, metal doors and chains, but where the occupants let in muggers just because they said they were from Ebay.
No, it is more secure for a some applications because less of the network facing executable code needs to run at as high a privilege level.
>They're both not secure.
That depends entirely on the threat model you are protecting against. If you want it really secure from the network, take it off the network. If you want it secure from users put it in a locked room and have multi person, multi factor authentication to access it and require dual operator controls so no individual can pull something off unobserved. This is how PKI centers work. If you want a secure online server, you need accounting of the trusted code. The extend to which Windows and Linux compare is quite different for those cases.
>The trick is to NOT have a _one_room_ apartment or hut. You need an "airlock" (sandbox) for your browser (not just rooms for each person).
Or you might document and analyze your threat model first, before protecting against those threats.
Ditto. I've been to Korea twice. The Kimchi varied, was never too offensive and I have no memory of it smelling too bad. It didn't make me fart. I think people are making this stuff up.
However there is nothing to compare in nastiness to the icky, squishy, fishy stuff I had to eat at some super classy Seoul restaurant, except maybe the silkworm lavae they sell on the street to kids.
>Maybe you can help me find the CTRL key on my iPhone?
Send it to me in the mail, I'll see what I can do.
>Why do you believe all devices have and/or will have keyboards now and/or in the future?
I don't, but such devices aren't for doing real work on. They're for making phone calls, listening to MP3 or browsing the internet. They are a waste of space if you want to write a few thousand lines of python.
>Then your mention of CAD is completely irrelevant. CAD requires a great deal of precision and control, and is not likely to be used often even on laptops, let alone the smaller devices. Reading an email, on the other hand, just needs a simple way to manipulate the screen. Who cares if it is a very coarse method of control, as long as it enables me to quickly get to what I want?
I don't consider it to be irrelevant. Mouse gestures in CAD tools are a precursor to the multitouch hand gestures, in that the motion is interpreted by the computer to decide what function you want. People that interact with CAD tools all day has the choice between mouse gestures or the traditional mode of using the mouse to point and the keyboard to select the function to apply at the point. The latter proved much more efficient and mouse gestures didn't become popular.
Similarly, on a laptop with a mouse pad, I'm way more likely to hit ctrl+ to zoom in than mess around with two hands on the pad. It may make sense for keyboardless devices, but such devices are usually not things you do real work on. They are for browsing, listening to music and making phone calls.
Two fingered mouse gestures are a fad that will pass.
Ctrl +, Ctrl - has worked fine for zooming in and out for years.
Various CAD tool vendors tried to get people to use mouse gestures for years, but people stuck with the mouse+keyboard because it is a much more definite form of input.
You are mistaking AES for FIPS-140.
The disk encryption product being discussed would not pass FIPS-140, yet they claimed the use of AES and implied that this meant it was secure.
The comment "A vendor telling you they use AES is completely and utterly worthless, and always has been. It's a nice buzzword people like to use." carries a lot of truth. A vendor that knows what they are doing will know what to tell another security expert sufficient to convince him of the security of the system or algorithms. This would typically include the key management functions, data encryption functions, data integrity functions and compliance to specifications such as FIPS-140.
>By keeping your data in an XML format, you can use simple XSL stylesheets to generate multiple types of output.
Just like LaTeX! Reinvention is a wonderful thing.
>Can't you just turn the computer off at that point?
Not if you want to it do something, like have an OS installed or sign some X.509 certificates.
No. I don't trust them. The security comes through the use of air-gapping (no network connection), HSMs (Hardware Security Modules) and the access and use procedures. The OS is Linux, but that is not what determines the security of the system.
>There are other places where other network standards have heavily borrowed from DOCSIS.
Yes, 802.16 borrowed PKM (Privacy and Key Management) from DOCSIS. It was such a pile of poo that we had to throw it out and write PKMv2 to make it secure.
>If you can't do a bare metal reinstall without reading a 42 digit number over the phone to somebody in India their licencing confusion is barely relevant in a serious computing environment.
It's a complete show stopper when installing in an air-gapped secure room holding the root keys for a certificate authority. The place is RF shielded, no wires enter the room except the well armored power supply, no cell phones or other comms equipment are permitted.