Hi there,
I am trying to draw attention to what I think is an important piece of
software - Mirrordir. It supports strong encryption but is exportable from
the US because it does not have encryption compiled in by default. Instead
it downloads the scripts it needs from South Africa when it runs f
> It supports strong encryption but is exportable from
> the US because it does not have encryption compiled in by default. Instead
> it downloads the scripts it needs from South Africa when it runs for the
> first time.
This is *extremely* risky behavior.
FTP and HTTP sites *are* compromised.
Bear Giles <[EMAIL PROTECTED]> wrote:
> The only thing resilient to compromised servers are cryptographically
> signed cryptographic checksums. Which requires PGP. Which is not
> exportable. And which requires a "chain of trust" to evaluate
> whether to trust the key used to sign the checksum.
> Bear Giles <[EMAIL PROTECTED]> wrote:
> > The only thing resilient to compromised servers are cryptographically
> > signed cryptographic checksums. Which requires PGP. Which is not
> > exportable. And which requires a "chain of trust" to evaluate
> > whether to trust the key used to sign the
Bear Giles <[EMAIL PROTECTED]> wrote:
> But you're biting your own tail here. Where do you get that "good"
> checksum?
Any place which is acceptable to the package maintainer -- perhaps out
of a pgp signed archive.
If the package maintainer can't produce a trustable package, it
doesn't matter ho
> Bear Giles <[EMAIL PROTECTED]> wrote:
> > But you're biting your own tail here. Where do you get that "good"
> > checksum?
>
> Any place which is acceptable to the package maintainer -- perhaps out
> of a pgp signed archive.
Remember, the start of this discussion was an (FTP) mirroring program
Bear Giles <[EMAIL PROTECTED]> wrote:
> The problem isn't in *producing* a package, it's in *acquiring* that
> package later. What happens if someone successfully attacks a site
> immediately before you mirror it?
What happens if someone replaces a PGP signature?
Answer: people notice.
[Conside
On Sat, 23 Jan 1999, Bear Giles wrote:
> > It supports strong encryption but is exportable from
> > the US because it does not have encryption compiled in by default. Instead
> > it downloads the scripts it needs from South Africa when it runs for the
> > first time.
>
> This is *extremely* risk
Previously Paul Sheer wrote:
> Also: there is no GPL secure shell (as far as I know).
But people are working on that. From what I hear it's on the verge of
becoming useable. Don't ask me about the name, I always forget it.
Wichert.
--
On Sun, 24 Jan 1999, Wichert Akkerman wrote:
> Previously Paul Sheer wrote:
> > Also: there is no GPL secure shell (as far as I know).
>
> But people are working on that. From what I hear it's on the verge of
> becoming useable. Don't ask me about the name, I always forget it.
It's called psst.
Wichert wrote:
> Previously Paul Sheer wrote:
> > Also: there is no GPL secure shell (as far as I know).
>
> But people are working on that. From what I hear it's on the verge of
> becoming useable. Don't ask me about the name, I always forget it.
MIT Kerberos (4 and 5) is open source and provide
Paul Sheer wrote:
>I remember someone was maintaining the debian release of this software
>(although then, it did not support encryption). Please get the latest
>version from:
> ftp://lava.obsidian.co.za/pub/mirrordir/US/
I maintain the Debian package of mirrordir. The last version I
packa
> - I would not be able to include the new crypto features in the package
>anyway due to US export laws.
no, the US version contains no crypto code.
> (Debian packages are binary only, and
Both the source and binary US versions of mirrordir contain no crypto
code.
>FTP connectivity is
13 matches
Mail list logo
