In message <[EMAIL PROTECTED]> on Tue, 14 Jun 2005 00:14:54 -1000, "coco coco" <[EMAIL PROTECTED]> said:
coconut_to_go> We called it bullshit, and were having a hot debate, coconut_to_go> most people (the technical people) are opposed to that, coconut_to_go> saying that there is nothing secure about this scheme. coconut_to_go> If you want to separate the signature key from the coconut_to_go> encryption key, you should have 2 keys, and not one key coconut_to_go> with 2 certificates. This does not make any sense. Like everyone else, I say this consultant doesn't know what he's talking about (I'm tempted to ask you to tell me who it is, so I can avoid him/her). Can I suggest a different line of attack, though? It's obvious that confronting the consultant by calling bull doesn't win you any points, so how about simply asking the consultant how, exactly, the double certificate scheme increases security. And do not let yourself be satisfied with a half ass answer. coconut_to_go> The CEO said he trusts the "security expert", and if we coconut_to_go> want to change that, we need to come up with better coconut_to_go> arguments than that. I'd ask the CEO up front on what grounds he trusts that consultant. coconut_to_go> But the annoying thing is, the 2 certificates do not coconut_to_go> even specify usage attributes correctly. And our coconut_to_go> security expert said it does not matter, we (the coconut_to_go> programmers) have to figure that out, which cert is coconut_to_go> used for signature and which one is used for encryption. This is just further proof that consultant doesn't know squat what he or she is talking about. Cheers, Richard ----- Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
