Eric Rescorla wrote:
> SHA-1 is only 2^80 strong against birthday attack. If you
> go around using SHA-1 or worse yet MD5 to sign stuff then
> using a private key of size > 1024 is only of limited value.
If you want to forge a signature, you will probably not be able to use
the birthday attack.
Burger, Kobus K wrote:
> I have noticed a couple of discrepancies between mainframe support for MDC2
> and OpenSSL's support:
>
> * Mainframe supports MDC2 with various keys (The documentation notes that
> the default key is the same as the one used by OpenSSL) - Openssl has a
> single key hard
Raghuram Belur wrote:
> I am wondering if it is possible to use some simple cross-platform
> [PRNG] on the client which is probably not too hard to guess and use
> a more robust mechanism such as an entropy gathering daemon on the
> server
You will have to be very careful. For example, if you u
Geoff Thorpe wrote:
> Which leaves
> the mathematical consideration of the multi-prime keys themselves, and
> their generation, to be debated (ie. I doubt the patent could rest on an
> argument that it is a physical process, or an implementation invention,
> because that should bang its head on t
Salz, Rich wrote:
> > Pls excuse my silly question. Can anyone kindly tell me that does
> > signatures have fixed lengths, or not.
>
> For RSA sizeof(sig) == sizeof(key)
For DSA, the signature is 320 bits -- two numbers the size of the
small modulus. For ElGamal the signature is twice the leng
Dr. Greg Quinn wrote:
> A big limitation as far as I can see would be getting certs
> pre-installed into web browsers. The chance of either MS or
> netscape doing this would be close to none.
Yes. On the other hand, there is a way of giving people a trusted
copy of the root certificate without
Leland V. Lammert wrote:
> I don't think you have placed OpenSSL in the proper
> perspective. OpenSSL is a *toolkit* used primarily with OTHER
> applications.
Most toolkits have documentation, though. Developers need to know how
to use the product just like anyone else. For an example, see the
Kristian Köhntopp wrote:
> Now, where do I find a free SSLified IMAP server, please? ;-)
It depends if you want the old or new version of the protocol. The
old version has a different port number for secured IMAP; the new one
doesn't. If you want the new version, you could have a look at
SafeG
At long last, here is the first beta release of SafeGossip, which
implements the new RFCs and Internet drafts for telnet, FTP, IMAP, POP
and SMTP over TLS.
Here are some of the new features:
* Telnet support is now implemented according to the Internet draft.
* You can now configure SafeGossip u
Jeffrey Altman wrote:
> How are you mapping a client cert to a local Unix account name?
>
> Are you using a field within the cert? If so, which one(s)? Are
> different fields used for different services?
>
> Or are you using some form of Certificate MApping Service which takes
> a validated c
Joe Pruett wrote:
> did you ever find a way to do this? i am just starting down the same
> road. pgp licensing is way out of control for commercial use nowadays
> ($9500!).
If you want to do PGP-style messages for commercial use, you are
probably best off with the GNU Privacy Guard (www.gnupg.
Some of you have been asking about my package which implements various
protocols over TLS. Here is an alpha release. I have called the
package SafeGossip, or Gossip for short.
Currently the protocols implemented are FTP, telnet (sort of), IMAP,
SMTP and POP. Gossip supports both the old and ne
"Roth, Leland" wrote:
> 2) Can anyone point to a decent 'SSL ftp' standalone program? I might
> couple that with some Perl to build a workable solution.
Of course FTP over SSL is only an Internet draft at present. However I
am currently working on implementing it (as well as telnet, pop, imap
a
Craig Idler wrote:
> Has someone done something like this in the past? It seems an ssl enabled
> telnet program could do this. It's so easy to use basic telnet talking to port
> 80, but using something that communicates with port 443 is a different story.
Try "openssl s_client". This is similar
Dave Neuer wrote:
> RSADSI seem to have a propensity for casting information in a decidedly
> pro-RSADSI light. Kind of like the way they convinced the IETF that the
> licensing for RSA would always be "affordable and non-discriminatory."
Interestingly one of the RFCs says that the licence fee
s being implicit in the fact that a user possesses a
certificate. (It is often said that certificates should only be used to
vouch for identity and not as a basis for access control decisions. Of
course in practice people do not always keep to this.)
--
Michael Urban wrote:
> Perhaps a file mapping a certificate subject name to a local
> username is a better solution. The certificate can be used at sites
> with different usernames that aren't known at certificate issue time,
> and doesn't require extra baggage in the certificate.
This might wo
17 matches
Mail list logo
