Bob Atkinson <> writes:
Actually, and sort of to the point, no, the keys never actually ever the BBN box, except as part of a backup procedure in which they are extracted in a doubly-encrypted form for which for security reasons you need the manufacturer's help in restoring.
To this day, no human or computer other than the box itself knows the key.
Yeah, but we can always just release a patch for windows which makes it check signatures made by "cypherpunks certification services". As has been noted in previous discussions of CAPI (on this list), there is room for different competing patched key signature services: sign anything, sign only CAPI modules which don't involve GAK (key escrow), sign modules for which source code has been examined and provide a degree of assurance that the module is secure. Charges could be made for the CAPI rating, to the module provider, and to the users of the rating service even (with non-transferable signatures). Also, the BBN box might be overkill considering ActiveX -- the key could probably be patched delivered maliciously by the unsuspecting windows user accessing a web page. Adam -- Have *you* exported RSA today? --> print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`