1994-02-05 - CERT advisory

Header Data

From: hughes@ah.com (Eric Hughes)
To: cypherpunks@toad.com
Message Hash: 728812ac34fe2543811152df21265b91f5ca53d42479ffebe07d6d4fb6113e89
Message ID: <9402050055.AA22719@ah.com>
Reply To: <9402042327.AA43567@dcdmwm.fnal.gov>
UTC Datetime: 1994-02-05 00:59:57 UTC
Raw Date: Fri, 4 Feb 94 16:59:57 PST

Raw message

From: hughes@ah.com (Eric Hughes)
Date: Fri, 4 Feb 94 16:59:57 PST
To: cypherpunks@toad.com
Subject: CERT advisory
In-Reply-To: <9402042327.AA43567@dcdmwm.fnal.gov>
Message-ID: <9402050055.AA22719@ah.com>
MIME-Version: 1.0
Content-Type: text/plain

>The big issue, in my mind, is how the ftpd is going to get the key
>to unlock the *system's* private key... Do you compile it into the
>code?  Should ftpd ask for it when it comes up? 

Since active interception is not nearly so easy as passive listening,
it would be appropriate to use a Diffie-Hellman key exchange in this
situation.  This protocol has no persistent private keys, so the issue
of keeping a private key around securely is not an issue.