| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20100908193023.GD2207@sentinelchicken.org> Date: Wed, 8 Sep 2010 12:30:23 -0700 From: Tim <tim-security@...tinelchicken.org> To: Andrew Auernheimer <gluttony@...il.com> Cc: Full Disclosure <full-disclosure@...ts.grok.org.uk> Subject: Re: [GOATSE SECURITY] Clench: Goatse's way to say "screw you" to certificate authorities > > This is no different then installing a client cert > > Yes, exactly. This is as equally secure as installing a client cert. > Except it is achieved without a client cert, using only a password, in > a manner that can be more easily scaled to lots of users. Um... I think you have it backwards. Public key crypto scales, symmetric does not. How many unique passwords do you use for the dozens/hundreds of websites you have an account with? Scalability with people is what matters. Current websites and client software do not make it easy to use one certificate for many sites, but this strategy scales much better. The core difference between the two is that the number of unique keys needed to carry on private converstations in a group of entities grows O(n^2) with symmetric keys and O(n) with public keys. I'm sure you realize this though. tim _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists