key exchange – SSL/TLS Forward secrecy with 2 KEM public keys

As we know, NIST PQC project is at its 3rd round, with draft standard expected to arrive in the next (few) year(s).

An unfortunate fact is that, we’re not seeing many signature schemes general-purpose enough (in the sense that, the size of some of their cryptograms may be large). However, the lattice-based PKC/KEM algorithms have favorable cryptogram sizes.

In SSL/TLS, the forward secrecy feature is where the server signs an ephemeral key for use in key exchange, so that the compromize of the static key doesn’t expose past communications.

Currently, there is a draft on hybrid key exchange at IETF. My question being: is it possible to achieve forward secrecy by using 2 public PKC/KEM keys, 1 ephemeral and 1 in the certificate, so as to save bandwidth at the same time?

public key infrastructure – What’s the best practice for server certificate issuance protocols in mixed environments?

In mixed Windows/Linux environments what’s the best practice for issuing server certificates?
If you use Windows MSCA PKI, you’re kind of stuck with using previous certificates to authenticate the renewals on non-domain machines using NDES/SCEP which is an older windows protocol. If you go the route of Linux PKI then you’re probably looking at something like ACME using proof of DNS endpoint control to obtain certificates for that domain.
What’s the most secure way to go if you’re doing it all from scratch, renewal only, DNS based, or using 3rd party tools or SaaS products to maintain and issue certs along with application secrets to only the applications running on the servers?

Is the only full solution to run a Windows and Linux PKI side-by-side using cross-trust? As far as I can tell, setting up FreeIPA to cross-trust a windows PKI is still kind of a nightmare.

Need Practical Public Photography Guides?

I believe you were given some indications when you posed the question; you can view them, but I will offer some instances for your convenience that have been covered in depth before.

Can I photograph people publicly, in the USA, without their consent?

Photography in public places: Is it allowed or needs permission

What are the laws in Australia surrounding photography in public places?

What are my legal rights when shooting a public event?

Additionally, your point.
Beyond the obvious, I’m not sure what you’re saying.
The point is,
You do need permission to enter someone’s private property; that is true. That is a no-brainer, regardless of whether or not taking photographs is so unimportant to photography and is a universal action to avoid being shot.

Although it mostly concerns commercial photography, some information applies to everyone.

OpenShift nameservers / public IP

I have configured a website on openshift it is working fine with the openshift’s generated url. But I am unable to find a valid publicIP or nameserver on which I will map the domain name. Any idea?

Archiving public Facebook posts from another person

When trying to archive a facebook post from a public personality,, and all cache the FB login page instead. Does someone know a web archiving service capable of saving facebook posts?

security – Is it OK for a public web service to use a database user with rights to execute DDL statements to access its underlying, exclusive database?

  • I wrote a Java web service using Spring that handles REST calls from
    the Internet.
  • The web service uses a Postgres database underneath to store, modify and read data.
  • The Postgres database is used exclusively by
    this web service, no other program accesses the database.

The web service uses a database user that has all rights in the database schema (dropping tables, modifying tables, etc.).

Would there be any tangible benefit in using a database user for this web service, that only has rights to modify table entries (select, insert, update, etc.), but no rights to execute DDL statements?

Or would this be over engineered?

❕NEWS – Hits Over $1Trillion in Cryptocurrency Transactions, Hints at Going Public |

Earnings Disclaimer:  All the posts published herein are merely based on individual views, and they do not expressly or by implications represent those of or its owner. It is hereby made clear that does not endorse, support, adopt or vouch any views, programs and/or business opportunities posted herein. also does not give and/or offer any investment advice to any members and/or it’s readers. All members and readers are advised to independently consult their own consultants, lawyers and/or families before making any investment and/or business decisions. This forum is merely a place for general discussions. It is hereby agreed by all members and/or readers that is in no way responsible and/or liable for any damages and/or losses suffered by anyone of you.

authentication – Security requirements for public API keys

I need to provide security requirements for public API keys that will be generated by a web application and then used in automation scripts by clients.

The risk of a key exposure is very high since whoever steals these scripts, will be able to execute OS commands remotely on the client domains.

I need to prevent this kind of theft risk while keeping the UX as simple as possible.

For now, I’ve prepared the following requirements:

  1. The key will be generated by the web application, after logging in to the application.
  2. A whitelist of IP addresses will be configured for the key.
  3. The key will have the domain permissions of the user who generated it.
  4. For security reasons, the user will select the set of permissions for the key- e.g. running actions, downloading reports, etc.
  5. The keys will be strings with 40 random alphanumeric and special characters in size. (minimal size, could be longer than that) or GUIDs.
  6. The API will have a request rate limiting.
  7. Users should be guided not to hardcode the key in the scripts. The scripts should receive them as a parameter from the user.
  8. The keys will be revoked automatically after 30 days.
  9. Admins will be able to revoke the keys manually.
  10. The key will NOT be transferred as a part of the URL, only in a header or the request body.

What do you think about these recommendations?

nginx – 400 Bad Request errors (infrequent) on public Amazon S3 assets

We are hosting S3 public assets (images) under a local path using a reverse proxy from NGINX to S3.

We have noticed periodic errors in our logs (400 errors) which are very infrequent, but are causing issues for visitors. We can tell these are AWS errors since the content type returned is application/xml. Loading these same assets right after the logged error returns the correct response.

I’ve enabled logging on my relevant S3 buckets, but upon inspecting the logs I do not see any 400 errors listed during the timeframes the errors occured.

  • Would AWS throttle our requests since they are coming from one IP (through the NGINX reverse proxy)?
  • What types of 400 statuses would S3 return for public objects that are valid?
  • Is there another place in the AWS console that would display these 400 errors so we could investigate?

currencies – Can I receive different cryptocurrencies on the same public key?

The main question I have is:

Can I receive different cryptocurrencies on a same public key?

For example: I instruct the person A to send me BTC on a public key X. I also instruct the person B to send me XRP (or any other crypto) on the same public key X.

  • If not – can you briefly explain why not, i.e. what prevents it? I’ve read on few places that this is impossible (not sure if true), but I don’t really understand why (if true). What prevents me from doing it? Aren’t the block-chains isolated from one another? Also, as far as I know, most (if not all) cryptocurrencies use the same public-private key logic under the hood.
  • If yes – are there any specific cons apart from obvious (one basket for all)?

Note: This question does not imply the use of online wallets that may have their own logic of aggregating multiple keys under the same online wallet.