[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CJR returned to sender



> If anyone from MIT is reading this, it would be a real public service to 
> put on a web site (a) what the system used for the release of PGP is 
> exactly and (b) what assurances (oral, written, names & dates) was 
> received from State/Commerce that this was legal.

I can explain (and have explained in this forum) the technical aspect
of how the MIT PGP site works.  I was not involved in the law aspect
of the debate, so I cannot answer legal questions.

There is a two-tiered protection scheme.  The first scheme is that you
need to know the secret directory where PGP resides.  This directory
changes location every 30 minutes, so any attacker has a 30 minute
window in which a name will be valid.  Not 30 minutes from the time
they receive it, 30 minutes from the time the directory last changed
names.

The second scheme involves using reverse DNS lookups and comparing the
DNS hostname to a list of know US-valid hostnames/domains.

An attacker needs to be able to circumvent both schemes at once in
order to get to PGP.

I can go into more detail if people want, or I can take this offline
if people prefer.

-derek