From lists at internetpolicyagency.com Thu Jan 14 10:41:02 2016 From: lists at internetpolicyagency.com (Roland Perry) Date: Thu, 14 Jan 2016 10:41:02 +0000 Subject: Draft IP-Bill enters wrap-up phase Message-ID: Yesterday was the last oral evidence session (as far as I know) and the Committee now has just four weeks to write up its report. According to Teresa May in her evidence yesterday, the so called "end to end encryption" issue is in effect asking third parties [itself a term of art in these discussions] to produce plain text in the same way that RIPA currently asks telecoms providers to *when they apply the encryption themselves*. No government sponsored back doors/secret keys. But they *would* expect someone like Apple to deliver the plain text of a specific iMessage, if asked. Within an overall umbrella of 'reasonably practical'. In the specific case of Apple, that might be wishful thinking based on a mistaken impression that an iMessage has four ends: sender/Apple/Apple/recipient, or perhaps it's wishful thinking that Apple would co-operate in a targeted MiTM attack (some modalities of which are discussed here): The other new information which might be of particular interest to folk here is the position with so-called "Coffee shop networks" and of course academic networks. There was a bit of a fudge here, because no-one mentioned that large numbers of coffee shop networks are actually run by public operators like "The Cloud", which is a Sky subsidiary, and of course Sky is one of the big providers that the Home Office is presumably already talking to. (Ditto O2, BT, Virgin etc). On the assumption they actually meant genuinely privately run coffee shop networks, the answer was in effect that if a large enough bunch of criminals started using any particular network, or set up shop in a particular academic institution, then the Bill has to ensure that their activities could be monitored if required. In other words, no safe haven; not that all these places would be hooked up from day one. Moving on, and following SFS2016, there was a call for new catchphrases, I see Philip Virgo has suggested "Hoover Powers" for bulk data gathering, and my own offering is 192.gov for the bulk datasets. Teresa May would not give examples of bulk datasets for fear of tipping off criminals (or so she said). But did say that an 'obvious one' would be the list of people with a firearms licence. Not that all criminals with firearms are listed there, of course! The police already have that list (as is to be expected) within the "Names File" below - although missing from Wikipedia's entry - plus a few others as listed here: https://en.wikipedia.org/wiki/Police_National_Computer#Databases Meanwhile, looking at the Home Office's recently published written evidence to the Joint Scrutiny Committee, I see they have a concept of "domain name", such that both news.bbc.co.uk and bbc.co.uk/news would be redacted to bbc.co.uk for the purposes of Internet Connection Records. But how would this work (eg) for the school I worked with until recently, whose url is www.wbs.eu.com; because of the arrangements surrounding eu.com (and a few similar ones) the "domain" could be interpreted as just eu.com -- Roland Perry From amidgley at gmail.com Fri Jan 22 00:38:58 2016 From: amidgley at gmail.com (Adrian Midgley) Date: Fri, 22 Jan 2016 00:38:58 +0000 Subject: Draft IP-Bill enters wrap-up phase In-Reply-To: References: Message-ID: > thinking based on a mistaken impression that an iMessage has four ends: sender/Apple/Apple/recipient, The NHS Net mail is persistently described as "end to end encrypted" when it quite clearly is decrypted to store (perhaps being re-encrypted against a key held for that server) on the central server, and then re-encrypted to go to the recipient's compute. So the idea that there could be a persistent mistake about how many ends there are in a a line isn't quite as daft as it might be. But no, I think it is simply saying whatever seems convenient, alas. On Thu, 14 Jan 2016 at 11:52 Roland Perry wrote: > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ukcrypto at absent-minded.com Sat Jan 23 14:25:52 2016 From: ukcrypto at absent-minded.com (Mark Lomas) Date: Sat, 23 Jan 2016 14:25:52 +0000 Subject: Draft IP-Bill enters wrap-up phase In-Reply-To: References: Message-ID: NHS Net mail has two different encryption mechanisms, one of which is end-to-end. If the users take no special measures then NHS Net mail encrypts between client and server, but messages are stored in clear on the server. That is not end-to-end. NHS Net mail also provides a PKI to support S/MIME, allowing end-to-end encryption. NHS policy is that any message containing two or more patient records must use this. They felt unable to mandate this for individual records because many NHS staff are incapable of using S/MIME. So, for example, hospital admissions should support S/MIME but an individual healthcare worker isn't required to. To complicate matters there is an authorisation list for S/MIME that needs to traverse the network boundary. That is to stop staff smuggling out sensitive data having first encrypted it. Staff who need to exchange encrypted messages with external parties have first to be added to the authorisation list. Mark p.s. I realise that not all NHS bodies follow the policy, but the mechanism is available to support end-to-end encryption. On 22 January 2016 at 00:38, Adrian Midgley wrote: > > thinking based on a mistaken impression that an iMessage has four ends: > sender/Apple/Apple/recipient, > > The NHS Net mail is persistently described as "end to end encrypted" when > it quite clearly is decrypted to store (perhaps being re-encrypted against > a key held for that server) on the central server, and then re-encrypted to > go to the recipient's compute. > > So the idea that there could be a persistent mistake about how many ends > there are in a a line isn't quite as daft as it might be. > > But no, I think it is simply saying whatever seems convenient, alas. > > > > > > On Thu, 14 Jan 2016 at 11:52 Roland Perry > wrote: > >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: From amidgley at gmail.com Sat Jan 23 16:43:02 2016 From: amidgley at gmail.com (Adrian Midgley) Date: Sat, 23 Jan 2016 16:43:02 +0000 Subject: Draft IP-Bill enters wrap-up phase In-Reply-To: References: Message-ID: I suspect places where it is used may be a shorter list than those where it is not. I'm not convinced anyone in our local setup knows it exists. On Sat, 23 Jan 2016, 17:19 Mark Lomas wrote: > NHS Net mail has two different encryption mechanisms, one of which is > end-to-end. > > If the users take no special measures then NHS Net mail encrypts between > client and server, but messages are stored in clear on the server. That is > not end-to-end. > > NHS Net mail also provides a PKI to support S/MIME, allowing end-to-end > encryption. NHS policy is that any message containing two or more patient > records must use this. They felt unable to mandate this for individual > records because many NHS staff are incapable of using S/MIME. So, for > example, hospital admissions should support S/MIME but an individual > healthcare worker isn't required to. > > To complicate matters there is an authorisation list for S/MIME that needs > to traverse the network boundary. That is to stop staff smuggling out > sensitive data having first encrypted it. Staff who need to exchange > encrypted messages with external parties have first to be added to the > authorisation list. > > Mark > > p.s. I realise that not all NHS bodies follow the policy, but the > mechanism is available to support end-to-end encryption. > > > > On 22 January 2016 at 00:38, Adrian Midgley wrote: > >> > thinking based on a mistaken impression that an iMessage has four ends: >> sender/Apple/Apple/recipient, >> >> The NHS Net mail is persistently described as "end to end encrypted" when >> it quite clearly is decrypted to store (perhaps being re-encrypted against >> a key held for that server) on the central server, and then re-encrypted to >> go to the recipient's compute. >> >> So the idea that there could be a persistent mistake about how many ends >> there are in a a line isn't quite as daft as it might be. >> >> But no, I think it is simply saying whatever seems convenient, alas. >> >> >> >> >> >> On Thu, 14 Jan 2016 at 11:52 Roland Perry >> wrote: >> >>> >>> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From roger at hayter.org Sat Jan 23 18:09:48 2016 From: roger at hayter.org (Roger Hayter) Date: Sat, 23 Jan 2016 18:09:48 +0000 Subject: Draft IP-Bill enters wrap-up phase In-Reply-To: References: Message-ID: AMI, how are the keys for end-to-end users supplied? -- Roger Hayter On 23 Jan 2016, at 14:25, Mark Lomas wrote: > NHS Net mail has two different encryption mechanisms, one of which is end-to-end. > > If the users take no special measures then NHS Net mail encrypts between client and server, but messages are stored in clear on the server. That is not end-to-end. > > NHS Net mail also provides a PKI to support S/MIME, allowing end-to-end encryption. NHS policy is that any message containing two or more patient records must use this. They felt unable to mandate this for individual records because many NHS staff are incapable of using S/MIME. So, for example, hospital admissions should support S/MIME but an individual healthcare worker isn't required to. > > To complicate matters there is an authorisation list for S/MIME that needs to traverse the network boundary. That is to stop staff smuggling out sensitive data having first encrypted it. Staff who need to exchange encrypted messages with external parties have first to be added to the authorisation list. > > Mark > > p.s. I realise that not all NHS bodies follow the policy, but the mechanism is available to support end-to-end encryption. > > > > On 22 January 2016 at 00:38, Adrian Midgley wrote: > > thinking based on a mistaken impression that an iMessage has four ends: > sender/Apple/Apple/recipient, > > The NHS Net mail is persistently described as "end to end encrypted" when it quite clearly is decrypted to store (perhaps being re-encrypted against a key held for that server) on the central server, and then re-encrypted to go to the recipient's compute. > > So the idea that there could be a persistent mistake about how many ends there are in a a line isn't quite as daft as it might be. > > But no, I think it is simply saying whatever seems convenient, alas. > > > > > > On Thu, 14 Jan 2016 at 11:52 Roland Perry wrote: > > From lists at internetpolicyagency.com Sun Jan 24 15:27:43 2016 From: lists at internetpolicyagency.com (Roland Perry) Date: Sun, 24 Jan 2016 15:27:43 +0000 Subject: Draft IP-Bill enters wrap-up phase In-Reply-To: References: Message-ID: In article , Roger Hayter writes >AMI, how are the keys for end-to-end users supplied? Is this relevant (I don't know for sure, but as someone formerly practising in Wales maybe you have some inside track): http://www.wales.nhs.uk/pearsrc/digitial_certificate_setup.pdf -- Roland Perry From roger at hayter.org Sun Jan 24 17:56:41 2016 From: roger at hayter.org (Roger Hayter) Date: Sun, 24 Jan 2016 17:56:41 +0000 Subject: Draft IP-Bill enters wrap-up phase In-Reply-To: References: Message-ID: <9E643856-97A5-4552-BF49-F45341309A7D@hayter.org> On 24 Jan 2016, at 15:27, Roland Perry wrote: > In article , Roger Hayter writes > >> AMI, how are the keys for end-to-end users supplied? > > Is this relevant (I don't know for sure, but as someone formerly practising in Wales maybe you have some inside track): > > http://www.wales.nhs.uk/pearsrc/digitial_certificate_setup.pdf > -- > Roland Perry I was never important enough to be advised to do such a thing. It does seem remarkably simple, but raises more questions. Does it use the same SSL libraries as used for encrypted web sites? If Thawte issue a certificate which you then use, does this potentially give them a way into your encrypted information or not? And is this the same system the English NHS use for end-to-end encryption? It would seem to render NHSnet irrelevant, unless its sole role is to prevent you sending encrypted email or secret documents outside NHSnet. From mel at herald.co.uk Mon Jan 25 12:13:09 2016 From: mel at herald.co.uk (Melanie Dymond Harper) Date: Mon, 25 Jan 2016 12:13:09 +0000 Subject: Personal certs In-Reply-To: References: Message-ID: <20160125121308.GQ6709@newmail.herald.co.uk> On Mon, Jan 25, 2016 at 09:45:02AM +0000, ukcrypto-request at chiark.greenend.org.uk wrote: > > > In article , Roger Hayter writes > > > >> AMI, how are the keys for end-to-end users supplied? > > > > Is this relevant (I don't know for sure, but as someone formerly practising in Wales maybe you have some inside track): > > > > http://www.wales.nhs.uk/pearsrc/digitial_certificate_setup.pdf > > -- > > Roland Perry > > I was never important enough to be advised to do such a thing. It does seem remarkably simple, but raises more questions. Does it use the same SSL libraries as used for encrypted web sites? If Thawte issue a certificate which you then use, does this potentially give them a way into your encrypted information or not? And is this the same system the English NHS use for end-to-end encryption? It would seem to render NHSnet irrelevant, unless its sole role is to prevent you sending encrypted email or secret documents outside NHSnet. That's very, _very_ out of date. Thawte haven't done personal certificates for a very long time, and the Thawte Web of Trust has been dead since November 2009. The certificate keys were generated within the browser in a similar way to the way in which most code-signing certificates are handled these days -- the CA doesn't typically see the private keys at all. I don't offhand remember the precise libraries in use, I'm afraid. Cheers Mel (formerly Thawte rep in the UK & Web of Trust notary) From davehowe.pentesting at gmail.com Tue Jan 26 10:21:47 2016 From: davehowe.pentesting at gmail.com (Dave Howe) Date: Tue, 26 Jan 2016 10:21:47 +0000 Subject: Draft IP-Bill enters wrap-up phase In-Reply-To: <9E643856-97A5-4552-BF49-F45341309A7D@hayter.org> References: <9E643856-97A5-4552-BF49-F45341309A7D@hayter.org> Message-ID: <56A748BB.6030506@gmail.com> On 24/01/2016 17:56, Roger Hayter wrote: > I was never important enough to be advised to do such a thing. It > does seem remarkably simple, but raises more questions. Does it use > the same SSL libraries as used for encrypted web sites? Yes, mostly. Generation will use the SSL library of your web browser, usage the SSL library of your email client. Underlying protocol is the same. > If Thawte issue a certificate which you then use, does this > potentially give them a way into your encrypted information or not? Not - just as Thawte issuing a cert for your webserver doesn't give them a way to reach that traffic. The private key is generated locally by your web browser and never leaves your machine. > And is this the same system the English NHS use for end-to-end > encryption? Yes > It would seem to render NHSnet irrelevant, unless its sole role is > to prevent you sending encrypted email or secret documents outside > NHSnet. No. NHSnet/CfH/whatevertheyarecallingitthisweek isn't actually encrypted - it's a private internet, with access controls, but any security has to be layered onto that or traffic will be available to the BT engineers who maintain and support it. As always, HTTPS & SMTPS can protect point-to-point links, but S/MIME is recommended to protect data end-to-end. By default private internets are no more secure than the public one. From amidgley at gmail.com Tue Jan 26 14:26:36 2016 From: amidgley at gmail.com (Adrian Midgley) Date: Tue, 26 Jan 2016 14:26:36 +0000 Subject: Draft IP-Bill enters wrap-up phase In-Reply-To: <56A748BB.6030506@gmail.com> References: <9E643856-97A5-4552-BF49-F45341309A7D@hayter.org> <56A748BB.6030506@gmail.com> Message-ID: > By default private internets are no more secure than the public one. An inconvenient truth within the NHS. On Tue, 26 Jan 2016, 12:24 Dave Howe wrote: > On 24/01/2016 17:56, Roger Hayter wrote: > > > I was never important enough to be advised to do such a thing. It > > does seem remarkably simple, but raises more questions. Does it use > > the same SSL libraries as used for encrypted web sites? > > Yes, mostly. Generation will use the SSL library of your web browser, > usage the SSL library of your email client. Underlying protocol is the > same. > > > If Thawte issue a certificate which you then use, does this > > potentially give them a way into your encrypted information or not? > > Not - just as Thawte issuing a cert for your webserver doesn't give > them a way to reach that traffic. The private key is generated locally > by your web browser and never leaves your machine. > > > > And is this the same system the English NHS use for end-to-end > > encryption? > > Yes > > > It would seem to render NHSnet irrelevant, unless its sole role is > > to prevent you sending encrypted email or secret documents outside > > NHSnet. > > No. NHSnet/CfH/whatevertheyarecallingitthisweek isn't actually > encrypted - it's a private internet, with access controls, but any > security has to be layered onto that or traffic will be available to the > BT engineers who maintain and support it. As always, HTTPS & SMTPS can > protect point-to-point links, but S/MIME is recommended to protect data > end-to-end. By default private internets are no more secure than the > public one. > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From amidgley at gmail.com Tue Jan 26 14:30:18 2016 From: amidgley at gmail.com (Adrian Midgley) Date: Tue, 26 Jan 2016 14:30:18 +0000 Subject: Personal certs In-Reply-To: <20160125121308.GQ6709@newmail.herald.co.uk> References: <20160125121308.GQ6709@newmail.herald.co.uk> Message-ID: Why did Thawte Web of Trust (a phrase I associate with Phil Zimmerman) die? Did anything supplant it? One of the things it occurred to me the GMC and Royal Colleges (eg of surgeons) could do would be to assist their registrants or members to do the difficult bit of the PGP WoTrust - knowing the person is the person. Too new perhaps. On Mon, 25 Jan 2016, 16:20 Melanie Dymond Harper wrote: > On Mon, Jan 25, 2016 at 09:45:02AM +0000, > ukcrypto-request at chiark.greenend.org.uk wrote: > > > > > In article , Roger > Hayter writes > > > > > >> AMI, how are the keys for end-to-end users supplied? > > > > > > Is this relevant (I don't know for sure, but as someone formerly > practising in Wales maybe you have some inside track): > > > > > > http://www.wales.nhs.uk/pearsrc/digitial_certificate_setup.pdf > > > -- > > > Roland Perry > > > > I was never important enough to be advised to do such a thing. It does > seem remarkably simple, but raises more questions. Does it use the same > SSL libraries as used for encrypted web sites? If Thawte issue a > certificate which you then use, does this potentially give them a way into > your encrypted information or not? And is this the same system the English > NHS use for end-to-end encryption? It would seem to render NHSnet > irrelevant, unless its sole role is to prevent you sending encrypted email > or secret documents outside NHSnet. > > That's very, _very_ out of date. Thawte haven't done personal > certificates for a very long time, and the Thawte Web of Trust has been > dead since November 2009. > > The certificate keys were generated within the browser in a similar way > to the way in which most code-signing certificates are handled these > days -- the CA doesn't typically see the private keys at all. I don't > offhand remember the precise libraries in use, I'm afraid. > > Cheers > > Mel (formerly Thawte rep in the UK & Web of Trust notary) > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at internetpolicyagency.com Tue Jan 26 15:22:40 2016 From: lists at internetpolicyagency.com (Roland Perry) Date: Tue, 26 Jan 2016 15:22:40 +0000 Subject: Draft IP-Bill enters wrap-up phase In-Reply-To: <56A748BB.6030506@gmail.com> References: <9E643856-97A5-4552-BF49-F45341309A7D@hayter.org> <56A748BB.6030506@gmail.com> Message-ID: In article <56A748BB.6030506 at gmail.com>, Dave Howe writes >By default private internets are no more secure than the public one. Quibbling about the terminology, those are probably private intranets. I'm always amused by the way USA-ians call the public bit the Inner-net, because it makes me wonder what the Outer-net is. Reminds me of an old joke retold on the BBC last week: "Why can't you hear a pterodactyl having a wee" - "because their p is silent". -- Roland Perry From nbohm at ernest.net Tue Jan 26 18:01:00 2016 From: nbohm at ernest.net (Nicholas Bohm) Date: Tue, 26 Jan 2016 18:01:00 +0000 Subject: Personal certs In-Reply-To: References: <20160125121308.GQ6709@newmail.herald.co.uk> Message-ID: <56A7B45C.6050505@ernest.net> On 26/01/2016 14:30, Adrian Midgley wrote: > > Why did Thawte Web of Trust (a phrase I associate with Phil Zimmerman) > die? > > Did anything supplant it? > > One of the things it occurred to me the GMC and Royal Colleges (eg of > surgeons) could do would be to assist their registrants or members to > do the difficult bit of the PGP WoTrust - knowing the person is the > person. > > Too new perhaps. > When I was on the relevant committee of the Law Society we gave a bit of thought to the equivalent suggestion. What these bodies can certainly do is assert "There is a solicitor [doctor/surgeon/etc] on our register with address [etc]." What they find much harder is to assert "The person you are dealing with is the same person as the one to whom the foregoing assertion applies." They are naturally concerned about the risks of making the first assertion and being understood to have made the second, Nick -- Contact and PGP key here From pgut001 at cs.auckland.ac.nz Wed Jan 27 05:16:01 2016 From: pgut001 at cs.auckland.ac.nz (Peter Gutmann) Date: Wed, 27 Jan 2016 05:16:01 +0000 Subject: Personal certs In-Reply-To: References: <20160125121308.GQ6709@newmail.herald.co.uk>, Message-ID: <9A043F3CF02CD34C8E74AC1594475C73F4BD999B@uxcn10-5.UoA.auckland.ac.nz> Adrian Midgley writes: >Why did Thawte Web of Trust (a phrase I associate with Phil Zimmerman) die? Because no-one was interested in it [0]. The few people who care about WoT did it with PGP, not X.509. >Did anything supplant it? CACert notaries, to some extent. Peter. [0] "Nobody" here meaning an insufficient number of people for it to be viable. From mel at herald.co.uk Wed Jan 27 11:23:27 2016 From: mel at herald.co.uk (Melanie Dymond Harper) Date: Wed, 27 Jan 2016 11:23:27 +0000 Subject: Personal certs/Thawte Web of Trust In-Reply-To: References: Message-ID: <20160127112327.GL6709@newmail.herald.co.uk> [Apologies for breaking threading, I read this on digest.] With the usual caveats that I do not speak for Thawte, Symantec or anyone else associated with them -- > Date: Tue, 26 Jan 2016 14:30:18 +0000 > From: Adrian Midgley > > Why did Thawte Web of Trust (a phrase I associate with Phil Zimmerman) die? I suspect it was at least partially a casualty of the sale of Thawte to (as it was at the time) Verisign -- plus, also, lack of takeup, scalability issues, and the like. Personal certificates are _still_ not easily usable by the vast majority of users, even this far down the road. Scalability was compounded by the fact that verification (whether by one or more existing Web of Trust notaries, or by e.g. a notary public) had to be done in person. Identity is hard, mm'kay? > Did anything supplant it? Not in the same manner (to the best of my knowledge). It wasn't a case of "something better came along", it was "this wasn't working for Thawte" Cheers Mel From davehowe.pentesting at gmail.com Wed Jan 27 11:55:26 2016 From: davehowe.pentesting at gmail.com (Dave Howe) Date: Wed, 27 Jan 2016 11:55:26 +0000 Subject: Draft IP-Bill enters wrap-up phase In-Reply-To: References: <9E643856-97A5-4552-BF49-F45341309A7D@hayter.org> <56A748BB.6030506@gmail.com> Message-ID: <56A8B02E.3080607@gmail.com> On 26/01/2016 15:22, Roland Perry wrote: > In article <56A748BB.6030506 at gmail.com>, Dave Howe > writes > >> By default private internets are no more secure than the public one. > > Quibbling about the terminology, those are probably private intranets. I would argue for internet - it's a externally provisioned network, with its own centrally adminstered IPv4 space, that joins disparate locally adminstered LANs that may or may not NAT or firewall their traffic when talking to the other hosts on that network (but if they don't, they should). I use a capital I when talking about the public Internet rather than private internetworking networks, but can't recall where I picked up that convention from. not sure what a public intranet would be, other than a contradiction in terms? :D From davehowe.pentesting at gmail.com Wed Jan 27 11:55:46 2016 From: davehowe.pentesting at gmail.com (Dave Howe) Date: Wed, 27 Jan 2016 11:55:46 +0000 Subject: Personal certs In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C73F4BD999B@uxcn10-5.UoA.auckland.ac.nz> References: <20160125121308.GQ6709@newmail.herald.co.uk> <9A043F3CF02CD34C8E74AC1594475C73F4BD999B@uxcn10-5.UoA.auckland.ac.nz> Message-ID: <56A8B042.60009@gmail.com> On 27/01/2016 05:16, Peter Gutmann wrote: > Adrian Midgley writes: > >> Why did Thawte Web of Trust (a phrase I associate with Phil >> Zimmerman) die? > > Because no-one was interested in it [0]. The few people who care > about WoT did it with PGP, not X.509. Thawte's WoT would do pgp too; I just assumed given it was discontinued shortly after Thawte was sold, that the new owners didn't want any "community" involvement. A group I was a member of tried to set up a WoT like structure using Public Notaries to emboss a print of the key thumbprints for an individual, but it didn't work outside of the USA (given most other countries don't have PNs and/or don't respect the US ones) From lists at internetpolicyagency.com Wed Jan 27 12:50:56 2016 From: lists at internetpolicyagency.com (Roland Perry) Date: Wed, 27 Jan 2016 12:50:56 +0000 Subject: Draft IP-Bill enters wrap-up phase In-Reply-To: <56A8B02E.3080607@gmail.com> References: <9E643856-97A5-4552-BF49-F45341309A7D@hayter.org> <56A748BB.6030506@gmail.com> <56A8B02E.3080607@gmail.com> Message-ID: In article <56A8B02E.3080607 at gmail.com>, Dave Howe writes >>> By default private internets are no more secure than the public one. >> >> Quibbling about the terminology, those are probably private intranets. >I would argue for internet - it's a externally provisioned network, with >its own centrally adminstered IPv4 space, that joins disparate locally >adminstered LANs that may or may not NAT or firewall their traffic when >talking to the other hosts on that network (but if they don't, they >should). I use a capital I when talking about the public Internet rather >than private internetworking networks, but can't recall where I picked >up that convention from. Yes the public Internet should have a capital letter like the Queen. Maybe a bunch of interconnected networks which aren't attached to the Internet could be "a" [different] internet, but I've rarely encountered that usage. >not sure what a public intranet would be, other than a contradiction in >terms? :D Quite. -- Roland Perry From g+ukcrypto at cobb.uk.net Wed Jan 27 11:55:54 2016 From: g+ukcrypto at cobb.uk.net (Graham Cobb) Date: Wed, 27 Jan 2016 11:55:54 +0000 Subject: Personal certs In-Reply-To: <56A7B45C.6050505@ernest.net> References: <20160125121308.GQ6709@newmail.herald.co.uk> <56A7B45C.6050505@ernest.net> Message-ID: <56A8B04A.3030808@cobb.uk.net> On 26/01/16 18:01, Nicholas Bohm wrote: > What these bodies can certainly do is assert "There is a solicitor > [doctor/surgeon/etc] on our register with address [etc]." What they > find much harder is to assert "The person you are dealing with is the > same person as the one to whom the foregoing assertion applies." > > They are naturally concerned about the risks of making the first > assertion and being understood to have made the second, Well, I hope they are all prioritising solving that problem!! As they have a (legally and socially recognised) function to register their practitioners they need to do it in a way that conveys useful information to the consumers of those services. As their practitioners move online, and join social networks, the first assertion becomes irrelevant and only the second is useful. If the existing professional bodies can't solve it, someone else will have to and will assume their powers. A professional "register" in this day and age does not list names and addresses, it lists public signing keys. Graham From amidgley at gmail.com Wed Jan 27 15:36:17 2016 From: amidgley at gmail.com (Adrian Midgley) Date: Wed, 27 Jan 2016 15:36:17 +0000 Subject: Personal certs In-Reply-To: <56A8B04A.3030808@cobb.uk.net> References: <20160125121308.GQ6709@newmail.herald.co.uk> <56A7B45C.6050505@ernest.net> <56A8B04A.3030808@cobb.uk.net> Message-ID: They could hold a series of assertions, that I Dr A know Dr B and this is his key, and so on. All the agencies do seem to distrust each other, as well as all previous versions of their agency, leading to the possession of a lot of bits of paper. Me, I distrust all of them. On Wed, 27 Jan 2016, 16:33 Graham Cobb wrote: > On 26/01/16 18:01, Nicholas Bohm wrote: > > What these bodies can certainly do is assert "There is a solicitor > > [doctor/surgeon/etc] on our register with address [etc]." What they > > find much harder is to assert "The person you are dealing with is the > > same person as the one to whom the foregoing assertion applies." > > > > They are naturally concerned about the risks of making the first > > assertion and being understood to have made the second, > > Well, I hope they are all prioritising solving that problem!! As they > have a (legally and socially recognised) function to register their > practitioners they need to do it in a way that conveys useful > information to the consumers of those services. > > As their practitioners move online, and join social networks, the first > assertion becomes irrelevant and only the second is useful. If the > existing professional bodies can't solve it, someone else will have to > and will assume their powers. > > A professional "register" in this day and age does not list names and > addresses, it lists public signing keys. > > Graham > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nbohm at ernest.net Wed Jan 27 17:49:25 2016 From: nbohm at ernest.net (Nicholas Bohm) Date: Wed, 27 Jan 2016 17:49:25 +0000 Subject: Personal certs In-Reply-To: <56A8B04A.3030808@cobb.uk.net> References: <20160125121308.GQ6709@newmail.herald.co.uk> <56A7B45C.6050505@ernest.net> <56A8B04A.3030808@cobb.uk.net> Message-ID: <56A90325.5010800@ernest.net> On 27/01/2016 11:55, Graham Cobb wrote: > On 26/01/16 18:01, Nicholas Bohm wrote: >> What these bodies can certainly do is assert "There is a solicitor >> [doctor/surgeon/etc] on our register with address [etc]." What they >> find much harder is to assert "The person you are dealing with is the >> same person as the one to whom the foregoing assertion applies." >> >> They are naturally concerned about the risks of making the first >> assertion and being understood to have made the second, > Well, I hope they are all prioritising solving that problem!! As they > have a (legally and socially recognised) function to register their > practitioners they need to do it in a way that conveys useful > information to the consumers of those services. > > As their practitioners move online, and join social networks, the first > assertion becomes irrelevant and only the second is useful. If the > existing professional bodies can't solve it, someone else will have to > and will assume their powers. > > A professional "register" in this day and age does not list names and > addresses, it lists public signing keys. I suspect we may have some way to go before this becomes the norm. Do you know of any that do this? Nick -- Contact and PGP key here From amidgley at gmail.com Thu Jan 28 12:28:01 2016 From: amidgley at gmail.com (Adrian Midgley) Date: Thu, 28 Jan 2016 12:28:01 +0000 Subject: Personal certs In-Reply-To: <56A90325.5010800@ernest.net> References: <20160125121308.GQ6709@newmail.herald.co.uk> <56A7B45C.6050505@ernest.net> <56A8B04A.3030808@cobb.uk.net> <56A90325.5010800@ernest.net> Message-ID: No. Some of the things they do do seem less useful and more expensive. On Wed, 27 Jan 2016, 18:50 Nicholas Bohm wrote: > On 27/01/2016 11:55, Graham Cobb wrote: > > On 26/01/16 18:01, Nicholas Bohm wrote: > >> What these bodies can certainly do is assert "There is a solicitor > >> [doctor/surgeon/etc] on our register with address [etc]." What they > >> find much harder is to assert "The person you are dealing with is the > >> same person as the one to whom the foregoing assertion applies." > >> > >> They are naturally concerned about the risks of making the first > >> assertion and being understood to have made the second, > > Well, I hope they are all prioritising solving that problem!! As they > > have a (legally and socially recognised) function to register their > > practitioners they need to do it in a way that conveys useful > > information to the consumers of those services. > > > > As their practitioners move online, and join social networks, the first > > assertion becomes irrelevant and only the second is useful. If the > > existing professional bodies can't solve it, someone else will have to > > and will assume their powers. > > > > A professional "register" in this day and age does not list names and > > addresses, it lists public signing keys. > > I suspect we may have some way to go before this becomes the norm. > > Do you know of any that do this? > > Nick > -- > Contact and PGP key here > > -------------- next part -------------- An HTML attachment was scrubbed... URL: