Reading (For Dummies)

Web2.0 and the Digital Signature

I've been doing some network security/PKI related stuff at work lately, and something is bothering me. It's how PKI user-space tools are done, and how web applications are pretty much messing up our trust metrics.

We've spent a lot of time and money developing these desktop tools for PKI use -- Mail clients with the ability to use certificates, browsers with the ability to use certificates, cryptoprograms with the ability to use certificates. Troubling now is the advent of the webapp.

Typically web applications "trust" the web browser and more particularly the web server. For client certification, a browser sends out a certificate request, gets a response, does whatever verification and lookup that it has to (OCSP/CRL), and then passes the token off to the web application. The web application has no way of re-verifying the certificate, or even verifying it in the first place (it has to rely on the certificate string that the web server passes to it).

Companies like Gradkell make signing applications. Applications could also be done in Java, but really who wants to run these kinds of things inside their browser? Java still feels too heavy. I feel like Javascript itself needs some way to interface with key management systems, though. Hm...

The New Network

A couple of weeks ago, I was in Washington DC. I met with a super-bright researcher at DARPA, and we hashed over some possible research ideas in secure service and data discovery. He suggested that my cohort and I read some of the latest offerings from Van Jacobson.

I've initially been a pretty stark critic of the idea of content-centric networking. My problem is, I guess, that I've read a lot of these SBIR proposals suggesting exactly this solution. The scale of CCN is hardly that of a six-month to one-year problem. Especially not in the context of cross-domain solutions, which generally need to have at least some semblance of assurance. Trying to use CCN as a content control mechanism is kind of a paradox. If the content is secured via a PKI, it's rather difficult for people to find it.

Jae used to have this cynicism about my cynicism concerning computer security. I always find it annoying to see new ideas put forth in the context of computer security, but which make some underlying assumptions about computer security which are patently false. So I think I'll shuck such thoughts to the wind for a while. Van Jacobson's Google Tech Talk is actually very cool -- he's a wizard at selling his idea, and I think it's a darned good one at that. As for a content control mechanism, I think it falls short in a lot of ways. It's kind of like ad-hoc networking with an assumption of pre-distributed shared keys (not very ad-hoc in my opinion). Still, I think the usefulness greatly outshines the limitations. As a content search and distribution system, it is The Way. Hopefully there are still some open areas of research here when I'm ready for my PhD...

Frames Can't Catch Me

I've hiked another big peak...this time it just happened to be the tallest mountain in the contiguous USA.

We started off in Whitney Portal, camping the first night near our car at 8300' of elevation. Our campsite was attacked by black bears. Sean Cody (not that Sean Cody, although they are both computer programmers in San Diego) and I stalked a slight larger-than-the-other-two (I presume the mother?) black bear, and even managed to chase it up a tree. It had gotten in to one of the "bear proof" trash cans because some moronic camper had overstuffed it, and just left the door hanging open. What Would Schneier Say?. It's kind of disheartening to see a bear eating trash, even if it is just a black bear...

We hiked up from Whitney Portal to Trail Camp on Saturday. Trail Camp is the highest campsite around, at 12000'. I blazed the trail to this elevation, arriving about an hour earlier than the rest of the crew (really I was even faster than that; I dropped my pack at Outpost Camp, somewhere around 10000', and hiked back down a mile or so to meet my hiking pals, then headed back up with them before splitting off again). I'd like to thank the makers of Sustained Energy for my insane speed. That stuff rocks.

We camped out Saturday night and made plans to do the summit early Sunday, then hike all the way back down to Whitney Portal. Three of my campmates dropped out late Saturday night and Sunday morning. One with altitude sickness, another to take care of the first, and the third having a distinct lack of sleep and overall fatigue.

Three of us headed up on Sunday. We left sometime around 6AM, and reached the summit before 9:30. We made it back to Trail Camp by noon. I filled our water jugs one last time and started off down the trail. Sean and Andre overtook me a ways down the trail, and I ended up being the last one back to Whitney Portal. Kind of fitting, that I was the first element of a stack.

Overall it was a fantastic trip to the tallest mountain that I'm likely to see for a while. The air was certainly thin up that high; in comparison I'll be breathing easily back down at sea level. Pictures that tell the tale in more words can found on the usual location.