On Sun, Mar 14, 2010 at 8:08 AM, Robert J. Hansen wrote:
> On 3/13/10 8:06 PM, erythrocyte wrote:
>> Umm.. if I understand the nature of the probability tests or
>> calculations just mentioned above, the results have to be accepted as
>> they are. They either got it
On Sat, Mar 13, 2010 at 10:04 PM, Robert J. Hansen wrote:
>
> 99.6%; a little different. The binomial theorem gives us the correct numbers.
>
> 0 failures: 31.6%
> 1 failure: 42.2%
> 2 failures: 21.1%
> 3 failures: 4.7%
> 4 failures: 0.4%
Alrighty... :-) . So the combined probability that there
2010/3/13 Ingo Klöcker
> Sorry, but your calculation is wrong. If the calculation was correct
> then with 5 encounters the probability would be 1.25 which is an
> impossibility. Probability is never negative and never > 1. (People say
> all the time that they are 110 % sure that something will hap
On Sat, Mar 13, 2010 at 1:14 PM, Robert J. Hansen wrote:
> Even then — so what? Let's say the Type II rate is 25%. That's a very
> high Type II rate; most people would think that failing to recognize one set
> of fake IDs per four is a really bad error rate. Yet, if you're at a
> keysigning par
On Sat, Mar 13, 2010 at 1:00 PM, Robert J. Hansen wrote:
> > I'm a little confused as to how does that make it any different from
> using the Pidgin OTR method.
>
> It's a question of degree, not kind.
>
> > I simply open up an OTR session, ask my friend a question the answer to
> which is secret
ike ACCURATE that look for abuses in voting, you
> have...
>
> The Western tradition of government usually involves a lot of people
> looking. This is certainly not to say that abuses don't happen -- they
> clearly do -- but they do not occur at the frequency many fear.
>
Par
On Sat, Mar 13, 2010 at 11:40 AM, Robert J. Hansen wrote:
> > You have an existing credential - a passport.
> > You then use that credential to verify another - a PGP key.
>
> The passport isn't used to verify the OpenPGP key. The passport is used to
> verify *identity*. The key fingerprint is u
On Sat, Mar 13, 2010 at 2:44 AM, MFPA wrote:
> I would question whether the defence solicitor was fit to practice if
> he didn't produce expert witnesses who could explain this sufficiently
> clearly for the jury to understand.
>
LOL ...Easier said than done, IMHO :-) :-P
old as
> the hills, too.
That actually got me thinking. Aren't keysigning parties based on that
model anyway?
You have an existing credential - a passport.
You then use that credential to verify another - a PGP key.
--
erythrocyte
___
Gnu
It all goes back to how you define
your security requirements. Steve Gibson on his podcast, Security Now,
once talked about how a certificate from a well known CA was spoofed
because of a weak hash algorithm that was used in signing.
--
erythrocyte
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
nly by helping you keep information safe between the endpoints...
> This does not mean GnuPG is defective. It means you need to understand your
> problem, your solution, and what tools you need to enact your solution.
I think that that makes perfect sense. :-)
--
erythrocyte
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
On 3/13/2010 2:14 AM, Doug Barton wrote:
> You posited a scenario where you are using OTR communications to verify
> a PGP key. My assumption (and pardon me if it was incorrect) was that
> you had a security-related purpose in mind for the verified key.
Yes :-) .
--
er
to well known CAs, while
others belong to less reputable ones. Plus some CAs will still use
outdated hash algorithms to sign certificates. This has allowed people
in some cases to generate fake certificates and spoof well known
websites. I learned about this last point from a Security Now episode.
BTW Schneier did a nice interview discussing some SSL pitfalls here
http://www.v3.co.uk/v3/news/2258899/rsa-2010-q-bruce-schneier .
--
erythrocyte
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
s of Thawte certificates could as
well trust that a given bank website is genuine when in fact it might be
a fraud.
All in all, encryption isn't the panacea that we'd like it to be. At
least not yet. There are multiple attack vectors that crop up all the
time - from social engineering t
On 3/11/2010 9:15 PM, David Shaw wrote:
> Basically, no, and for several reasons. There are a few things that need to
> be understood about the new attack. Briefly, this is an attack that relies
> on manipulating the power supply to the CPU, in order to cause it to make
> errors in RSA signatu
On 3/11/2010 9:13 PM, Robert J. Hansen wrote:
> OpenPGP assumes the endpoints of the communication are secure.
> If they're not, there's nothing OpenPGP can do to help you make it
secure.
> ...All tools have preconditions: the existence of a precondition doesn't mean
> the tool is broken.
> The pr
On 3/11/2010 3:29 PM, Dan Mahoney, System Admin wrote:
> On Thu, 11 Mar 2010, erythrocyte wrote:
>> Ref:
>> http://www.engadget.com/2010/03/09/1024-bit-rsa-encryption-cracked-by-carefully-starving-cpu-of-ele/
>>
>
> Okay, let me sum up this article for you:
>
I'm a user of Pidgin with the off-the-record plugin:
http://www.cypherpunks.ca/otr/help/3.2.0/levels.php?lang=en
http://www.cypherpunks.ca/otr/help/3.2.0/authenticate.php?lang=en
In order to use GPG based email encryption properly, it's important for
users to authenticate with each other an
With the recent news of researchers being able to crack 1024-bit RSA
keys using power fluctuations, I was wondering if it would be a good
idea to switch the RSA keys I have to some other algorithm. Both my
signing and encryption keys are 4096-bit keys. Am I vulnerable to this
security hole?
Is it
I'm a user of Pidgin with the off-the-record plugin:
http://www.cypherpunks.ca/otr/help/3.2.0/levels.php?lang=en
http://www.cypherpunks.ca/otr/help/3.2.0/authenticate.php?lang=en
Is there a way to be able to have off-the-record email conversations
with GPG technology? It would definitely be
On 3/4/2010 11:15 PM, Daniel Kahn Gillmor wrote:
> On 03/04/2010 08:18 AM, erythrocyte wrote:
>> And here's the output of the last command:
>>
>> gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
>> gpg: depth: 0 valid: 1 signed:
Hi,
I have installed the CLI version of GPG.
I understand that GPG options have to be set in a configuration file.
The configuration file can be created if it doesn't exist as per a
previous thread here
http://lists.gnupg.org/pipermail/gnupg-users/2008-December/035146.html
I added the
22 matches
Mail list logo
