From: Derek Atkins <warlord@MIT.EDU>
To: Michael Froomkin <froomkin@law.miami.edu>
Message Hash: cb6cf2dbf289e0c2729b5edc482a2d248289324adf8ed1fb368550afa71ed8b3
Message ID: <199510271718.NAA07989@toxicwaste.media.mit.edu>
Reply To: <Pine.SUN.3.91.951027100225.10892F-100000@viper.law.miami.edu>
UTC Datetime: 1995-10-27 18:19:53 UTC
Raw Date: Sat, 28 Oct 1995 02:19:53 +0800
From: Derek Atkins <warlord@MIT.EDU>
Date: Sat, 28 Oct 1995 02:19:53 +0800
To: Michael Froomkin <froomkin@law.miami.edu>
Subject: Re: CJR returned to sender
In-Reply-To: <Pine.SUN.3.91.951027100225.10892F-100000@viper.law.miami.edu>
Message-ID: <199510271718.NAA07989@toxicwaste.media.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain
> If anyone from MIT is reading this, it would be a real public service to
> put on a web site (a) what the system used for the release of PGP is
> exactly and (b) what assurances (oral, written, names & dates) was
> received from State/Commerce that this was legal.
I can explain (and have explained in this forum) the technical aspect
of how the MIT PGP site works. I was not involved in the law aspect
of the debate, so I cannot answer legal questions.
There is a two-tiered protection scheme. The first scheme is that you
need to know the secret directory where PGP resides. This directory
changes location every 30 minutes, so any attacker has a 30 minute
window in which a name will be valid. Not 30 minutes from the time
they receive it, 30 minutes from the time the directory last changed
names.
The second scheme involves using reverse DNS lookups and comparing the
DNS hostname to a list of know US-valid hostnames/domains.
An attacker needs to be able to circumvent both schemes at once in
order to get to PGP.
I can go into more detail if people want, or I can take this offline
if people prefer.
-derek
Return to November 1995
Return to “tcmay@got.net (Timothy C. May)”