GSM eavesdropping

[Paul Wouters]

On Mon, 2 Aug 2010, Perry E. Metzger wrote:

> For example, in the internet space, we have http, smtp, imap and other
> protocols in both plain and ssl flavors. (IPSec was originally
> intended to mitigate this by providing a common security layer for
> everything, but it failed, for many reasons. Nico mentioned one that
> isn't sufficiently appreciated, which was the lack of APIs to permit
> binding of IPSec connections to users.)

If that was a major issue, then SSL would have been much more successful
then it has been.

I have good hopes that soon we'll see use of our new biggest cryptographically
signed distributed database. And part of the signalling can come in via the
AD bit in DNSSEC (eg by adding an EDNS option to ask for special additional
records signifying "SHOULD do crypto with this pubkey")

The AD bit might be a crude signal, but it's fairly easy to implement at
the application level. Requesting specific additional records will remove
the need for another latency driven DNS lookup to get more crypto information.

And obsolete the broken CA model while gaining improved support for SSL certs
by removing all those enduser warnings.

Paul

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com