[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Request change in son-of-rfc2633

To: Paul Hoffman / IMC <phoffman@xxxxxxx>
Subject: Re: Request change in son-of-rfc2633
From: Dale Gustafson <dale.gustafson@xxxxxxxx>
Date: Sun, 02 Nov 2003 20:01:25 -0600
Cc: ietf-pkix@xxxxxxx, Jim Heimberg <jimhei@xxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <> <> <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx


Paul Hoffman / IMC wrote

< ... >

> PCs are vulnerable. This doesn't mean we stop all development of
> things that run on PCs.
>
> (FWIW, the paper can be found at
> <http://www.cs.dartmouth.edu/~sws/papers/keyjack.pdf>.)

Interesting paper, although most secure application designers probably realize
that browser keystores are most often protected only by a user-chosen password
which may be weak or even NULL.

The issues raised re: creative ways to insert a "shim DLL" between a secure
application and CryptoAPI (or any other security library using the common DLL
form-factor) are most interesting and apply irrespective of use/non-use of SSL
client authentication.  Anyone know of other recent work in this same area?

> --Paul Hoffman, Director
> --Internet Mail Consortium

Regards,

Dale Gustafson

References:
- RE: Request change in son-of-rfc2633
  - From: Santosh Chokhani
- Re: Request change in son-of-rfc2633
  - From: jim
- Re: Request change in son-of-rfc2633
  - From: Paul Hoffman / IMC

Prev by Date: Re: Web-PKI Keygen/Certreq Questions
Next by Date: Re: Request change in son-of-rfc2633
Previous by thread: Re: Request change in son-of-rfc2633
Next by thread: RE: Request change in son-of-rfc2633
Index(es):
- Date
- Thread