I have to concur. I've tried using both in a W2K / Outlook environment, NAI PGP winns usability hands down.
Outlook Integration: There is an outlook plugin for GPG so for basic encrypt/decrypt operation both are reasonably usable,
Key Management: Here's where GPG falls flat on its face; managing keys is nearly impossible with the GPG gui keymanger, performance completely breaks down if the size of your keyring goes up a bit (about 150 keys on my ring currently). adding / signing new key is pretty much instantaneous in PGP while it takes > 60 seconds in GPG!
Corporate goodies: Having features like aditional decryption keys or split keys available can also be important for corporate use
Availability / Reliability: Here I'd give points to GPG: There's good commitment and a broad developer base for GPG while NAI has publicly announced that it actually wants to be rid of PGP, so there's really no saying how long PGP support or further development will be available from NAI.
alternatives: PGP/GPG have great advantage over other options: cross platform availability; you'll be hard pressed to find ANY computer where there there ISN'T a version of PGP or GPG available. On the other hand, if you don't actually need that diversity, going with the Windows/Outlook builtin X.509 stuff could be your best option. Easy to use, pretty foolproof, supported by almost all external crypto devices.
All in all, I'd say for company-wide deployment, the interfaces / integration for GPG just aren't there yet.
Likewise I didn't have to call Charmin to tell them that I am wiping my butt with their toilet tissue and I am, in fact, the original owner.
Yes, but then - you had to PAY for it BEFORE taking it home. With shareware, you get to take it home, check it out. IF, and ONLY if you actually like the product are you required to fork over any cash. I'd say that gives you much greater surety that what you're paying for is actually what you wanted and easily offsets the nuisance of having to register.
This sounds like quite a few old ideas have been combined in a new(?) way:
High - Grade compression. The system they describe sounds quite similar to wavelet compression used for image data; main difference: usualy algorithm based compression works best for sound/video data where slight differences between original and reconstracted image are acceptable - you look for an algorithm that aproaches the original, but it doesn't have to be a 100% match. For application data, there obviously musten't be any information loss.
downloading information from several sources: this is done by lots of utilities; some FTP clients, swarmcast, kazoo/morpheus to name just a few.
sliding window IP data transfer; also old stuff, you don't even have to use UDP for this, support is bult right into TCP protocol. You can easily have a tcp connection with a large window size, i.e the ammount of data that can be "on the fly" before an acknowledgement is required. Sequence of packets isn't an issue either, TCP is perfectly happy to reorder the packets on arrival. This way you avoid the problems introduced by high bandwidth / high latency connections mentioned in the article. only really stupid applications/protocols suffer from these effects nowerdays - if your application won't send the next packet before receiving an acknowledement for the previous one, your performance will obviously suck.
Considering this, the most noteworthy thing about the article seems to be the ability of their marketing folks to make this actually sound new and interesting.
I wonder what sort of performance you get out of one of these cards?
Since I've got a router/firewall box using the same CPU I should be able to answer that one (300Mhz):
RC5: Summary: 4 packets (25.00 stats units)
1.14:10:07.62 - [48,778 keys/s]
As you can see, number crunching is rigtht out of the question. Still, easily fast enough to push packets around.
Small and cheap? Have a look at the Allwell Set-top boxes; from my experience these make VERY nice diskless terminals, although I haven't yet tried what XP does to them - only tried linux so far and quite happy with the result. Price ranges from $289 to $400 depending on configuration;
my box (300Mhz, 32MB Disk On a Chip Flash ROM, 2.5" IDE installation kit etc cost about $400).
we need various data loggers to monitor what's going on
Have you looked at the GCT Allwell boxes yet? Really neat box, NO fans => completely silent. Different sizes of flash memory (or ide disks if you need more space) for OS/applications are available. Only downside is that the fastetest CPU you can get is 300Mhz - slow by todays standards but easily sufficient for lots of aplications.
Also important: not at all expensive; most very small / embedded systems turn out to be unreasonably expensive, this one costs about $289 - $400 depending on options.
I'm running one of these as firewall/VPN Box for my home network:
Linux 2.4 kernel
Squid proxy
iptables firewall
ipsec and ms pptp VPN server
NTP server (stratum 1, got serial DCF77 receiver)
Boa web server (for access to squid cachemgr and serving code red/nimda antidote scripts)
ssh server + client stuff
All of this runs from an 8M DOC (Disk On a Chip) Flash memory (plenty space still free)- no moving parts at all.
If only it were so - but looking back on the development later new cpu generations I'd bet it's going to be a HOT billion...
requirements for cooling of new cpus are becoming ever more demanding, just the cpu can burn in excess of 50W in existing cpus.
So, for my own requirements I'm more interested in getting an (energy) efficient system that can run with as few fans and noise as possible - it's practically impossible nowerdays to get a box where CPU power is NOT sufficient for even the most demanding tasks. The downside is that most modern boxes seem to be best suited for running flight simulators - at least they sound like jet engines.
Also if you're working in an office with a lot of computers, the heat output of computers and monitors can be VERY noticyble, esp. in summer. (No, there's no aircondition in my office).
Hopefully the new technology will not only be used to reate overpowerd energy hogs but also find its way into (mobile?) processors - same cpu core as existing cpu, but smaller layout, lower core voltage and correspondlingly much cooler/more silent.
until we find them, they come for a god damn visit, and they take us over.
I would much rather waste my CPU time than max it out looking for annihilation.
Careful there: First, seti is a PASSIVE search for ETs - we're not trying to send anything, we're just listening. Even if any anliens we happen to find should turn out to be nasty, I'd much rather have good inteligence on them than sitting on my dumb ass and get a nasty surprise one day.
Also: "visiting to take take over" would be pretty low on my scale of possible threats: lightspeed barrier and travel time should make any personal contact pretty much improbable.
If I'm going to worry, I'd be more along these lines:
Alien paranoid race: they've got their own version of seti, they wait till the wavefront of electromagnetic radiation produced by an emerging civilisation (i.e by us) reaches them. Next they take steps to prevent us ever becoming a problem for them: just set some nice massiive missile in motion, accelerate to relativistic speed and have it home in on the radio signals.
Raw materials: Once you've got an interstellar civilisation going, you might need raw materials, and lots of them. So, scan star systems for planetary systems with jupiter class planets. (they sould be able to find these easily - even we've managed to do as much). Send a bunch of unmanned probes over to replicate using resources found at the target and return processed raw materials. Takes a long time but then, you'd have to think in fairly long spans anyway as soon as you're considering more than one solar system. If one such mining/gathering probe happens on our system - tough luck; they'd probably not even notice we're here (or they just don't care).
I can only second that - I'm running a couple of Clinux HA Clusters (2 nodes each) and I've been using 75GB IBM disks with hardware raid controllers (3ware 6200) in these.
In all, that's 10 Boxes with 2 75GXP each; systems have been set up a bit over one year ago (14 months). Since using the systems, I've hat 7 drives go bad. (last three of these faild just last week). While the disks do operate 24/7 they're in pretty much optimal environment: Climate controled server room, 19" rackmount boxes with ample power suplies; extra fan in the boxes for the disks, temperature monitored and graphed via lm_sensors and mrtg. max temerature measured at disk case is about 30C.
Given this set of data point's I'd say there's DEFINITELY something wrong the this series of IBM disks.
Several ways you could get the aldwell system up to spec:
1) there is a model STB3036N-CF(see bottom of page)that has CF
2) use the PCI slot for a multiport ethernet card; there's a bunch of these available, for example the ANA-62022 Two-Port Card by adaptec.
3)the STBII5012 has 2 ethernet interfaces integrated + 2 pci slots; this should easily give you all the options you need.
Re:Does it also work for FedEX vehicles?
on
Flywheel UPS
·
· Score: 1
If you use just one flywheel mounted vertically - make sure you spin it down before you park the car - otherwise your car will roll over onto its back like a turtle in the next 12 hours. Ok, it probably won't have sufficient mass/velocity to actually make this happen but the idea is nice:-)
Our price modell also gives a certain (up to 50%) rebate on additional certs as well as renewal of existing cert, so the effort for identification is accounted for only once.
Good to know this, I'd be quite happy with this compromise; if you put it somewhere on your webpage where this information can actually be seen - even better.
please visit us again after the CeBit 2001 (~ March 22. 2001) I might do even better - since I'll be AT Cebit, I might visit you right there.
we will release the new web pages Including actual links for getting the free class 1 personal certs referenced elsewhere on your site and including the possibility to get Demo PGP certs I hope (use a demo signing key since a PGP signature can't/doesn't expire). Also something I like having access to: In adition to the automatic Key generation/submission schemes for Netscape and IE, make a generic cut/paste PKCS10 CSR Interface available.
this seems to be very much centered on serving customers in Germany - no real procedure is outlined in the webpages (neither german nor english version) for customers outside germany to get certificates
If I want to get certificates both for netscape-S/Mime and for PGP, I'd have to pay full price twice. I much prefer the aproach that you pay for the verification of user data and, once your data is verified and on file, can request all the (personal) certs containing this verified data without further cost.
Given that the actual cost incurred by the CA is for the verification of user data and that creation of the certificates afterwards is an automated process that shouldn't require aditional user interaction or effort, it doesn't seem to place unfair burden on the Ca either.
Hmmm, I wonder if one of those "technical reasons" might be that Verisign bought them and that Verisign is an X.509 champion?
Could be; From talking to their tech people, I got the impression it actually was a technical reason, namely that they switched to new/different server technology for handling signature requests and the new server doesn't do DSA Public key encryption and so can't deal with all PGP keys.
You still run into the same problem if you try to get a Certificate for a DH/DSS key signed using their cut and paste generic interface - it doesn't recognice the key format and rejects the cert request.
Might change in the future though - there's been a lot of discussion regarding this and they're seemingly interested in adding support if possible.
as well as that this P2P model can sustain CA compromise better than any hierarchical structure.
Personaly, I like to use both the P2P flexibility of PGP and the better scalability and ease of use of a centralized PKI.
So far, I've only seen one centralized CA that's helped me to take advantage of both systems, namely thawte.
They used to provide signatures to PGP keys as one of the certificate formats; unfortunately they discontinued PGP support last december for technical reasons.
Still, having your PGP Key signed by a recogniced CA is a good way of increasing its usability, and newer versions of PGP support x.509 certificates. Have a look at my pgp key to see what can be done: Thawte X.509 certs for both addressess I currently use.
End result: if ou DO trust the centralized CA, Thawte in this case, you can immediately trust my key without having to go throug a fairly complex P2P verification. If you don't, well, you've lost nothing - it's still possigle to verify authenticity as with every other key.
Anyone know if there's a CA that can handle certificate requests for NON RSA keys (like PGP DH/DSS keys)?
Quite right. I guess the question asked just isn't specific enough; the setup needed for high availability failover stuff is quite different compared to load balancing / process distribution high performance clusters.
A very good place to start looking at various stuff available for linux clustering is www.linux-ha.org.
Also worth mentioning if you think about the high availability (active/standby) configuration: if there's more than one service to be provided, you can get quite nice performance boosts by distributing active / standby roles on the machines in your cluster - having a database server for an ISP with oracle active on one node and postgres / mysql on the 2nd node gives you both great performance and high availability.
It means an active-standby configuration with a shared disk
Not necessarily; Personaly I like the solution of having seperate, local raid0 (or raid5) disk arrays in each of the nodes and keeping them synchronized over the network.
You don't need the special hardware for shared disk stuff.
it's much easier to physicaly seperate the nodes - all that's needed is a reliable network connection between the nodes.
You avoid the single point of failure you'd get with the shared disk device.
For a practical implementation of disk synchronisation at the blockdevice level have a look at drbd.
If you do want to go with shared media you'd best consider two seperate raid 0 or raid5 devices, each connected to both boxes (seperate scsi bus for each device). The two devices are then configured as raid 0 (mirror); if you throw in some scsi seperatores you should be set - the aim is to avoid the problems arising from a single device rendering the whole scsi bus unusable if it fails in a nasty way.
You'll still want to have some aditional hardware for your cluster: having a good method for I/O fencing (guaranteeing that both nodes trying to write to a device at the same time scrambling the data) is a realy good idea; the easiest way to achive this is to provide a method for one node to controll the others power suply; in case a node decides it has to take over functionality because the previously active node is no longer responding it can power down or at least power cycle the other node to make sure it's REALLY down and not just hung for a few seconds.
Pro: very nice transition from existing ext2 filesystems and back again. Does journaling so bye-bye long fsck times.
Con: Does data+metadata journaling so write performance is about 1/2 ext2. Must still be classed as experimental, I wouldn't yet go production with ext3 - reiser seems to be stable enoug to use on production systems right now.
If you're interested in stuff increasing the availability of your system (journaling filesystems, hardware monitoring, cluster configurations..) the site to visit is http://www.linux-ha.org, it's got a nice colection of links to the relevant projects.
the difference is not corporations vs. individuals. It's the difference between "Freedom to speak" and "Freedom to forece everyone to listen".
You're perfectly free to stand on a soapbox in a park and say whatever you want - just as much as I'm free not to listen to you.
Looking ad advertisments this means: your freedom to publish anything including advertisments on the web should be guaranteed - this does NOT mean that you may force me to view it by sending it as spam however.
Actually the static IP requirement isn't really that. You can support road warriors with dynamic IP addresses. Unfortunately they all have to share the same authentication key. This would likely prove an unacceptable compromise to someone really interested in security.:-)
This aplys only if you use shared secrets for authentication; if RSA keys are used, you can have different keys for multiple road warriors with dynamic IP addresses.
You can a) have linux Road warriors using FreeSwan or b) use PGPNet Clients with Kai Martius FreeSwan/PGP patches on the server. See list archives on
I've used b) myself and while it's a bit tricky to get it set up it works quite nicely; the setup buron is mostly with the server (freeswan) end- the clients are just plain run-of-the mill PGPNet installations. given the price of about $20 for PGP including PGPNet (mcafee webstore) and its full international availability this is a combination that's currently VERY hard to beat wrt to price/performance.
I'd much rather have them fix existing products instead; especialy ASUS has atrocious enduser support and doesn't seem interested in fixing severe bux in their products.
Examples?
* P5A bios doesn't support harddisks > 32 GB (crash on boot). No released fix available. (there is a beta bios you can dig up if you look hard enough).
* The IDE Busmaster NT drivers for K7M Board don't support harddisks > 8GB (NT only sees first 8GB). No fix available from asus.
Guess how happy I am about buying a K7M board to replace the old P5A because I wanted to use a new big harddisk.
* Have a look at their own discussion board - lots of user questions and bug reports, absolutely NO reaction from asus tech whatsoever.
> Someday I'll fire up my old QL and see how well the Microdrives keep over the years.
Let me give you the sad news - they're much worse than disks at keeping data; I've tried getting my QL to work again last year:
* The keyboard contacts had corroded - about half the keys didn't work any longer * of all my microdrives (12) only two could still be completely read; the others were corrupted in varying degree.
Luckily I had also invested in a floppy adapter + 3.5" 720K floppys - these still worked, the pc keyboard (old cherry, using real microswitches) I rewired to match the QL keyboard matrix also worked:-)
Still, I ended up transfering all the files+ tape images to my PC; the QL emulator works GREAT there. Can you imagine the nostalgia trip of playing your favorite textadventure again after MANY years? (Lost kingdom of ZKUL - loved it).
> In their mind, you're just another person who > can't keep up with technology. So is the FSF > just trying to one-up MS in their own game by > releasing XFree86 4.0? Seems like it to me.
Definitely not. If you take a closer look at the new Xfree 4.0 version, you'll find that it is indeed greatly different from 3.x; different enough to warrant the jump in version numbers.
The underlying architecture was completely remodeled, the insane replication of code and effort for the seperate monolithic x-servers has been replaced by a modular design that will even allow cross-OS reuse of driver modules, the font handling has changed and so on..
The question on how to quote also lines up with the trouble seen with the plan of releasing a book on the "hellmouth" series of discussions containing quoted material.
It could be a good idea to add a setting to user preferences to indicate authors preferences wrt. to reuse of posted comments outside slashdot. Granted, it won't cover AC postings, it will leave the situation just as unclear as it's now for those useres who don't bother to enter any info - but it would give a standardized way to explicitely express the authors wishes on what may be done with posts.
If there's a lot of comments to chose form, it would make external use much less controversial if you could just pick some where the authors explicitely agreed to have to stuff reused.
Slashdot Mirror
- Outlook Integration: There is an outlook plugin for GPG so for basic encrypt/decrypt operation both are reasonably usable,
- Key Management: Here's where GPG falls flat on its face; managing keys is nearly impossible with the GPG gui keymanger, performance completely breaks down if the size of your keyring goes up a bit (about 150 keys on my ring currently). adding / signing new key is pretty much instantaneous in PGP while it takes > 60 seconds in GPG!
- Corporate goodies: Having features like aditional decryption keys or split keys available can also be important for corporate use
- Availability / Reliability: Here I'd give points to GPG: There's good commitment and a broad developer base for GPG while NAI has publicly announced that it actually wants to be rid of PGP, so there's really no saying how long PGP support or further development will be available from NAI.
alternatives: PGP/GPG have great advantage over other options: cross platform availability; you'll be hard pressed to find ANY computer where there there ISN'T a version of PGP or GPG available. On the other hand, if you don't actually need that diversity, going with the Windows/Outlook builtin X.509 stuff could be your best option. Easy to use, pretty foolproof, supported by almost all external crypto devices.All in all, I'd say for company-wide deployment, the interfaces / integration for GPG just aren't there yet.
Yes, but then - you had to PAY for it BEFORE taking it home.
With shareware, you get to take it home, check it out. IF, and ONLY if you actually like the product are you required to fork over any cash. I'd say that gives you much greater surety that what you're paying for is actually what you wanted and easily offsets the nuisance of having to register.
- High - Grade compression. The system they describe sounds quite similar to wavelet compression used for image data; main difference: usualy algorithm based compression works best for sound/video data where slight differences between original and reconstracted image are acceptable - you look for an algorithm that aproaches the original, but it doesn't have to be a 100% match. For application data, there obviously musten't be any information loss.
- downloading information from several sources: this is done by lots of utilities; some FTP clients, swarmcast, kazoo/morpheus to name just a few.
- sliding window IP data transfer; also old stuff, you don't even have to use UDP for this, support is bult right into TCP protocol. You can easily have a tcp connection with a large window size, i.e the ammount of data that can be "on the fly" before an acknowledgement is required. Sequence of packets isn't an issue either, TCP is perfectly happy to reorder the packets on arrival. This way you avoid the problems introduced by high bandwidth / high latency connections mentioned in the article. only really stupid applications/protocols suffer from these effects nowerdays - if your application won't send the next packet before receiving an acknowledement for the previous one, your performance will obviously suck.
Considering this, the most noteworthy thing about the article seems to be the ability of their marketing folks to make this actually sound new and interesting.I wonder what sort of performance you get out of one of these cards?
Since I've got a router/firewall box using the same CPU I should be able to answer that one (300Mhz):
RC5: Summary: 4 packets (25.00 stats units)
1.14:10:07.62 - [48,778 keys/s]
As you can see, number crunching is rigtht out of the question. Still, easily fast enough to push packets around.
Small and cheap?
Have a look at the Allwell Set-top boxes; from my experience these make VERY nice diskless terminals, although I haven't yet tried what XP does to them - only tried linux so far and quite happy with the result. Price ranges from $289 to $400 depending on configuration;
my box (300Mhz, 32MB Disk On a Chip Flash ROM, 2.5" IDE installation kit etc cost about $400).
Have you looked at the GCT Allwell boxes yet? Really neat box, NO fans => completely silent. Different sizes of flash memory (or ide disks if you need more space) for OS/applications are available. Only downside is that the fastetest CPU you can get is 300Mhz - slow by todays standards but easily sufficient for lots of aplications.
Also important: not at all expensive; most very small / embedded systems turn out to be unreasonably expensive, this one costs about $289 - $400 depending on options.
I'm running one of these as firewall/VPN Box for my home network:
- Linux 2.4 kernel
- Squid proxy
- iptables firewall
- ipsec and ms pptp VPN server
- NTP server (stratum 1, got serial DCF77 receiver)
- Boa web server (for access to squid cachemgr and serving code red/nimda antidote scripts)
- ssh server + client stuff
All of this runs from an 8M DOC (Disk On a Chip) Flash memory (plenty space still free)- no moving parts at all.If only it were so - but looking back on the development later new cpu generations I'd bet it's going to be a HOT billion...
requirements for cooling of new cpus are becoming ever more demanding, just the cpu can burn in excess of 50W in existing cpus.
So, for my own requirements I'm more interested in getting an (energy) efficient system that can run with as few fans and noise as possible - it's practically impossible nowerdays to get a box where CPU power is NOT sufficient for even the most demanding tasks. The downside is that most modern boxes seem to be best suited for running flight simulators - at least they sound like jet engines.
Also if you're working in an office with a lot of computers, the heat output of computers and monitors can be VERY noticyble, esp. in summer. (No, there's no aircondition in my office).
Hopefully the new technology will not only be used to reate overpowerd energy hogs but also find its way into (mobile?) processors - same cpu core as existing cpu, but smaller layout, lower core voltage and correspondlingly much cooler/more silent.
I would much rather waste my CPU time than max it out looking for annihilation.
Careful there: First, seti is a PASSIVE search for ETs - we're not trying to send anything, we're just listening. Even if any anliens we happen to find should turn out to be nasty, I'd much rather have good inteligence on them than sitting on my dumb ass and get a nasty surprise one day.
Also: "visiting to take take over" would be pretty low on my scale of possible threats: lightspeed barrier and travel time should make any personal contact pretty much improbable.
If I'm going to worry, I'd be more along these lines:
Alien paranoid race: they've got their own version of seti, they wait till the wavefront of electromagnetic radiation produced by an emerging civilisation (i.e by us) reaches them. Next they take steps to prevent us ever becoming a problem for them: just set some nice massiive missile in motion, accelerate to relativistic speed and have it home in on the radio signals.
Raw materials: Once you've got an interstellar civilisation going, you might need raw materials, and lots of them. So, scan star systems for planetary systems with jupiter class planets. (they sould be able to find these easily - even we've managed to do as much). Send a bunch of unmanned probes over to replicate using resources found at the target and return processed raw materials. Takes a long time but then, you'd have to think in fairly long spans anyway as soon as you're considering more than one solar system. If one such mining/gathering probe happens on our system - tough luck; they'd probably not even notice we're here (or they just don't care).
I can only second that - I'm running a couple of Clinux HA Clusters (2 nodes each) and I've been using 75GB IBM disks with hardware raid controllers (3ware 6200) in these.
In all, that's 10 Boxes with 2 75GXP each; systems have been set up a bit over one year ago (14 months). Since using the systems, I've hat 7 drives go bad. (last three of these faild just last week). While the disks do operate 24/7 they're in pretty much optimal environment: Climate controled server room, 19" rackmount boxes with ample power suplies; extra fan in the boxes for the disks, temperature monitored and graphed via lm_sensors and mrtg. max temerature measured at disk case is about 30C.
Given this set of data point's I'd say there's DEFINITELY something wrong the this series of IBM disks.
Several ways you could get the aldwell system up to spec:
1) there is a model STB3036N-CF(see bottom of page)that has CF
2) use the PCI slot for a multiport ethernet card; there's a bunch of these available, for example the ANA-62022 Two-Port Card by adaptec.
3)the STBII5012 has 2 ethernet interfaces integrated + 2 pci slots; this should easily give you all the options you need.
If you use just one flywheel mounted vertically - make sure you spin it down before you park the car - otherwise your car will roll over onto its back like a turtle in the next 12 hours. Ok, it probably won't have sufficient mass/velocity to actually make this happen but the idea is nice :-)
They can have my pc when they pry it from my cold dead hands.
Your offer is acceptable.
Our price modell also gives a certain (up to 50%) rebate on additional certs as well as renewal of existing cert, so the effort for identification is accounted for only once.
Good to know this, I'd be quite happy with this compromise; if you put it somewhere on your webpage where this information can actually be seen - even better.
please visit us again after the CeBit 2001 (~ March 22. 2001)
I might do even better - since I'll be AT Cebit, I might visit you right there.
we will release the new web pages
Including actual links for getting the free class 1 personal certs referenced elsewhere on your site and including the possibility to get Demo PGP certs I hope (use a demo signing key since a PGP signature can't/doesn't expire).
Also something I like having access to: In adition to the automatic Key generation/submission schemes for Netscape and IE, make a generic cut/paste PKCS10 CSR Interface available.
- this seems to be very much centered on serving customers in Germany - no real procedure is outlined in the webpages (neither german nor english version) for customers outside germany to get certificates
- If I want to get certificates both for netscape-S/Mime and for PGP, I'd have to pay full price twice. I much prefer the aproach that you pay for the verification of user data and, once your data is verified and on file, can request all the (personal) certs containing this verified data without further cost.
Given that the actual cost incurred by the CA is for the verification of user data and that creation of the certificates afterwards is an automated process that shouldn't require aditional user interaction or effort, it doesn't seem to place unfair burden on the Ca either.Hmmm, I wonder if one of those "technical reasons" might be that Verisign bought them and that Verisign is an X.509 champion?
Could be; From talking to their tech people, I got the impression it actually was a technical reason, namely that they switched to new/different server technology for handling signature requests and the new server doesn't do DSA Public key encryption and so can't deal with all PGP keys.
You still run into the same problem if you try to get a Certificate for a DH/DSS key signed using their cut and paste generic interface - it doesn't recognice the key format and rejects the cert request.
Might change in the future though - there's been a lot of discussion regarding this and they're seemingly interested in adding support if possible.
as well as that this P2P model can sustain CA compromise better than any hierarchical structure.
Personaly, I like to use both the P2P flexibility of PGP and the better scalability and ease of use of a centralized PKI.
So far, I've only seen one centralized CA that's helped me to take advantage of both systems, namely thawte.
They used to provide signatures to PGP keys as one of the certificate formats; unfortunately they discontinued PGP support last december for technical reasons.
Still, having your PGP Key signed by a recogniced CA is a good way of increasing its usability, and newer versions of PGP support x.509 certificates. Have a look at my pgp key to see what can be done: Thawte X.509 certs for both addressess I currently use.
End result: if ou DO trust the centralized CA, Thawte in this case, you can immediately trust my key without having to go throug a fairly complex P2P verification. If you don't, well, you've lost nothing - it's still possigle to verify authenticity as with every other key.
Anyone know if there's a CA that can handle certificate requests for NON RSA keys (like PGP DH/DSS keys)?
A very good place to start looking at various stuff available for linux clustering is www.linux-ha.org.
Also worth mentioning if you think about the high availability (active/standby) configuration: if there's more than one service to be provided, you can get quite nice performance boosts by distributing active / standby roles on the machines in your cluster - having a database server for an ISP with oracle active on one node and postgres / mysql on the 2nd node gives you both great performance and high availability.
It means an active-standby configuration with a shared disk
Not necessarily; Personaly I like the solution of having seperate, local raid0 (or raid5) disk arrays in each of the nodes and keeping them synchronized over the network.
For a practical implementation of disk synchronisation at the blockdevice level have a look at drbd.
If you do want to go with shared media you'd best consider two seperate raid 0 or raid5 devices, each connected to both boxes (seperate scsi bus for each device). The two devices are then configured as raid 0 (mirror); if you throw in some scsi seperatores you should be set - the aim is to avoid the problems arising from a single device rendering the whole scsi bus unusable if it fails in a nasty way.
You'll still want to have some aditional hardware for your cluster: having a good method for I/O fencing (guaranteeing that both nodes trying to write to a device at the same time scrambling the data) is a realy good idea; the easiest way to achive this is to provide a method for one node to controll the others power suply; in case a node decides it has to take over functionality because the previously active node is no longer responding it can power down or at least power cycle the other node to make sure it's REALLY down and not just hung for a few seconds.
Designing and building clusters can be fun
What about ext3 (which provides journalling) - hasn't that been released yet?
ext3 is available as kernel patches from ftp://ftp.uk.linux.org/pub/linux/sc t/f s/jfs/; there's still a bunch of issues to be aware of.
Pro: very nice transition from existing ext2 filesystems and back again. Does journaling so bye-bye long fsck times.
Con: Does data+metadata journaling so write performance is about 1/2 ext2. Must still be classed as experimental, I wouldn't yet go production with ext3 - reiser seems to be stable enoug to use on production systems right now.
If you're interested in stuff increasing the availability of your system (journaling filesystems, hardware monitoring, cluster configurations..) the site to visit is http://www.linux-ha.org, it's got a nice colection of links to the relevant projects.
the difference is not corporations vs. individuals. It's the difference between "Freedom to speak" and "Freedom to forece everyone to listen".
You're perfectly free to stand on a soapbox in a park and say whatever you want - just as much as I'm free not to listen to you.
Looking ad advertisments this means: your freedom to publish anything including advertisments on the web should be guaranteed - this does NOT mean that you may force me to view it by sending it as spam however.
Actually the static IP requirement isn't really that. You can support road warriors with dynamic IP addresses. Unfortunately they all have to share the same authentication key. This would likely prove an unacceptable compromise to someone really interested in security. :-)
This aplys only if you use shared secrets for authentication; if RSA keys are used, you can have different keys for multiple road warriors with dynamic IP addresses.
You can a) have linux Road warriors using FreeSwan or
b) use PGPNet Clients with Kai Martius FreeSwan/PGP patches on the server. See list archives on
I've used b) myself and while it's a bit tricky to get it set up it works quite nicely; the setup buron is mostly with the server (freeswan) end- the clients are just plain run-of-the mill PGPNet installations. given the price of about $20 for PGP including PGPNet (mcafee webstore) and its full international availability this is a combination that's currently VERY hard to beat wrt to price/performance.
I'd much rather have them fix existing products instead; especialy ASUS has atrocious enduser support and doesn't seem interested in fixing severe bux in their products.
Examples?
* P5A bios doesn't support harddisks > 32 GB (crash on boot). No released fix available. (there is a beta bios you can dig up if you look hard enough).
* The IDE Busmaster NT drivers for K7M Board don't support harddisks > 8GB (NT only sees first 8GB). No fix available from asus.
Guess how happy I am about buying a K7M board to replace the old P5A because I wanted to use a new big harddisk.
* Have a look at their own discussion board - lots of user questions and bug reports, absolutely NO reaction from asus tech whatsoever.
> Someday I'll fire up my old QL and see how well the Microdrives keep over the years.
:-)
Let me give you the sad news - they're much worse than disks at keeping data; I've tried getting my QL to work again last year:
* The keyboard contacts had corroded - about half the keys didn't work any longer
* of all my microdrives (12) only two could still be completely read; the others were corrupted in varying degree.
Luckily I had also invested in a floppy adapter + 3.5" 720K floppys - these still worked, the pc keyboard (old cherry, using real microswitches) I rewired to match the QL keyboard matrix also worked
Still, I ended up transfering all the files+ tape images to my PC; the QL emulator works GREAT there. Can you imagine the nostalgia trip of playing your favorite textadventure again after MANY years? (Lost kingdom of ZKUL - loved it).
Anyone got nice programs for QL ?
http://www.cosmic-cutlery.com/toc.html also offers a selection of knives & jewelry made from meteorites.
Unfortunately, it's also rather pricy, but hey - what did you expect?
> In their mind, you're just another person who
> can't keep up with technology. So is the FSF
> just trying to one-up MS in their own game by
> releasing XFree86 4.0? Seems like it to me.
Definitely not. If you take a closer look at the new Xfree 4.0 version, you'll find that it is indeed greatly different from 3.x; different enough to warrant the jump in version numbers.
The underlying architecture was completely remodeled, the insane replication of code and effort for the seperate monolithic x-servers has been replaced by a modular design that will even allow cross-OS reuse of driver modules, the font handling has changed and so on..
The question on how to quote also lines up with the trouble seen with the plan of releasing a book on the "hellmouth" series of discussions containing quoted material.
It could be a good idea to add a setting to user preferences to indicate authors preferences wrt. to reuse of posted comments outside slashdot. Granted, it won't cover AC postings, it will leave the situation just as unclear as it's now for those useres who don't bother to enter any info - but it would give a standardized way to explicitely express the authors wishes on what may be done with posts.
If there's a lot of comments to chose form, it would make external use much less controversial if you could just pick some where the authors explicitely agreed to have to stuff reused.