Wednesday, August 16, 2000 16:40
> To: Cryptography@C2. Net
> Subject: Re: Using signature-only certs to authenticate key exchanges
>
>
> Lucky (and Bill, in another message),
>
> My question was about the legal meaning, or, better, prevalent legal
> interpretation, of
At 07:39 AM 8/17/00 +0800, Enzo Michelangeli wrote:
>My question was about the legal meaning, or, better, prevalent legal
>interpretation, of "signature-only key". ...
>This is not a purely academic issue. For example, in Hong Kong the import of
>cryptographic devices is exempted from import licen
> This effectively exempts things like signature-only smartcards and similar
> tokens.
I would not want to risk things on strict technical interpretation.
I would go solely by intent, which often seems obvious.
"I don't know what cryptography is, but I know it when I see it."
/r$
If you ignore standards for the moment and think about
requirements and threat models, you need to do the following:
- protect against passive eavesdropping (so use crypto)
- exchange keys securely (so use Diffie-Hellmann)
- prevent man-in-the-middle attacks (so sign the DH parameters)
- only tal
ECTED]>
To: "Cryptography@C2. Net" <[EMAIL PROTECTED]>
Sent: Wednesday, August 16, 2000 4:00 PM
Subject: RE: Using signature-only certs to authenticate key exchanges
> Enzo,
> Many applications that employ certs ignore key usage restrictions. This
> isn't your fault or t
Enzo,
Many applications that employ certs ignore key usage restrictions. This
isn't your fault or the fault of the CA. It simply reflects a 'broken'
implementation. IANAL, but I fail to see how you or your customers could be
held responsible for applications that use certs in ways other than the c
