lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <1110.1202315971@turing-police.cc.vt.edu>
Date: Wed, 06 Feb 2008 11:39:31 -0500
From: Valdis.Kletnieks@...edu
To: Christoph Gruber <list@...u.at>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: JaPCrypt

On Wed, 06 Feb 2008 17:23:49 +0100, Christoph Gruber said:

> If you are able to use PGP/GPG/S/Mime you HAVE already an implemented  
> PKI. Why should someone use PKI to initialize another?

There's this thing called "The Real World", where often you end up doing
stuff like this because something is just plain busticated.  For instance,
https gives us:

a PKI that allows us to use RSA or similar to verify the other end's identity
and exchange a shared-secret to use as a symmetric session key.

Unfortunately, there's cases where you don't *have* https available (as noted
in the original posting).  So what do you do?  You roll-your-own using
PGP or S/MIME to verify identities (if it isn't who it claims to be from,
it won't decrypt) and exchange a shared secret, and then use JaPCrypt to
do the symmetric encryption.

Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ