From: smb@research.att.com
Date: Fri, 18 Feb 94 10:55:38 PST
To: cypherpunks@toad.com
Subject: Re: CERT/Whitehouse/Clipper link - smoking gun...
Message-ID: <9402181851.AA24808@toad.com>
MIME-Version: 1.0
Content-Type: text/plain


	 By God, I knew there was something fishy about that latest CERT
	 release (the one that referred to things that happened last
	 November and didn't actually say anything new, but somehow
	 managed to hit the *WORLD* press extensively within 24 hours)...

It's stuff that's been happening *since* last November.  I'm quite
certain that the attacks were continuing until (at the very least)
shortly before the announcement.

	 PS The statement is also false: digital signatures would have no effect
	 on network sniffing attacks; but it's just more FUD to strengthen the
	 Whitehouse hand in a release that was buried in a flood of releases
	 that day on Clipper.

No, you're wrong.  A challenge/response login architecture based on
digital signatures would have eliminated the attack.  And digital
signatures -- unlike most other technologies for one-time passwords --
do not require that any secret information be kept on the host.
There are practical difficulties, such as entering in 160 bits of
information, but for host-to-host logins, that isn't much of a problem.