[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CJR returned to sender

To: Michael Froomkin <[email protected]>
Subject: Re: CJR returned to sender
From: Derek Atkins <[email protected]>
Date: Fri, 27 Oct 1995 13:18:12 EDT
Cc: "Peter D. Junger" <[email protected]>, Cypherpunks <[email protected]>, Jeff Weinstein <[email protected]>
In-Reply-To: Your message of "Fri, 27 Oct 1995 10:05:10 EDT." <[email protected]>
Sender: [email protected]

> If anyone from MIT is reading this, it would be a real public service to 
> put on a web site (a) what the system used for the release of PGP is 
> exactly and (b) what assurances (oral, written, names & dates) was 
> received from State/Commerce that this was legal.

I can explain (and have explained in this forum) the technical aspect
of how the MIT PGP site works.  I was not involved in the law aspect
of the debate, so I cannot answer legal questions.

There is a two-tiered protection scheme.  The first scheme is that you
need to know the secret directory where PGP resides.  This directory
changes location every 30 minutes, so any attacker has a 30 minute
window in which a name will be valid.  Not 30 minutes from the time
they receive it, 30 minutes from the time the directory last changed
names.

The second scheme involves using reverse DNS lookups and comparing the
DNS hostname to a list of know US-valid hostnames/domains.

An attacker needs to be able to circumvent both schemes at once in
order to get to PGP.

I can go into more detail if people want, or I can take this offline
if people prefer.

-derek

References:
- Re: CJR returned to sender
  - From: Michael Froomkin <[email protected]>

Prev by Date: PRZ On Mitchells
Next by Date: Re: e-mail, business and privicy
Prev by thread: FTP export walls
Next by thread: Re: CJR returned to sender
Index(es):
- Date
- Thread