Keyserver service outage
The public keyserver running on martigny.ai.mit.edu will be unavailable starting Thursday, May 5, 1994 at approximately 9am EDT. During the coming week, the Massachusetts Institute of Technology will begin formally distributing PGP 2.5, a new version of PGP that is based on the RSAREF 2.0 cryptographic toolkit, under license from RSA Data Security, Inc., dated March 16, 1994. When that distribution becomes available, the keyserver will return running PGP 2.5. At that time, the keyserver will no longer accept keys that are identified as having been created by versions of PGP lower than 2.4. (PGP 2.4 is Viacrypt PGP.) --Brian LaMacchia public-key-server-request@martigny.ai.mit.edu
At that time, the keyserver will no longer accept keys that are identified as having been created by versions of PGP lower than 2.4. (PGP 2.4 is Viacrypt PGP.)
It is my understanding that folk outside the USA can legally run PGP versions from 2.0 to 2.3a, but cannot legally run Viacrypt 2.4 or the RSAREF-based version 2.5, because they contain code that cannot be exported from the USA. Thus, it appears that the keyserver will not accept any legally created keys from outside the USA. I think that this is a bad thing. --apb (Alan Barrett)
| It is my understanding that folk outside the USA can legally run PGP | versions from 2.0 to 2.3a, but cannot legally run Viacrypt 2.4 or the | RSAREF-based version 2.5, because they contain code that cannot be | exported from the USA. Thus, it appears that the keyserver will not | accept any legally created keys from outside the USA. I think that this | is a bad thing. I think folks outside the US can legally run 2.4 or 2.5, as there are no restrictions in their countries on using that software. The difficulty is getting it outside of the US without getting anyone in trouble. Perhaps this would be a time to try the 'exporting code on paper' thing that was discussed as a way to get the AC source out of the USA legally. Adam -- Adam Shostack adam@bwh.harvard.edu Politics. From the greek "poly," meaning many, and ticks, a small, annoying bloodsucker.
It is my understanding that folk outside the USA can legally run PGP versions from 2.0 to 2.3a, but cannot legally run Viacrypt 2.4 or the RSAREF-based version 2.5, because they contain code that cannot be exported from the USA.
Think about this. Under whose law would your running PGP 2.5 be illegal? Your country's perhaps, I don't know. But the U.S. has no law against foreigners (who aren't under its jurisdiction, anyway) using encryption. Now, it's illegal under the ITAR for someone in the U.S. to export any version of PGP, or almost any crypto software. This is for National Security reasons, natch. And most U.S. use of pre-2.4 versions probably infringes on RSA's patent on the math behind PGP. But once it's over the border, none of this matters (until GATT extends the miracle of uniform software patents to its signatories). Eli ebrandt@hmc.edu
The public keyserver running on martigny.ai.mit.edu will be unavailable starting Thursday, May 5, 1994 at approximately 9am EDT.
During the coming week, the Massachusetts Institute of Technology will begin formally distributing PGP 2.5, a new version of PGP that is based on the RSAREF 2.0 cryptographic toolkit, under license from RSA Data Security, Inc., dated March 16, 1994. When that distribution becomes available, the keyserver will return running PGP 2.5. At that time, the keyserver will no longer accept keys that are identified as having been created by versions of PGP lower than 2.4. (PGP 2.4 is Viacrypt PGP.)
--Brian LaMacchia public-key-server-request@martigny.ai.mit.edu
This is silly. Why a server would want to use licensed code is understandable. Why a server would try to restrict keys generated by versions other than 2.4 & the mysterious 2.5 is moronic. I will not use this server regardless of which version I have and use, and I urge others to resist the use of this server as well. This policy only serves to create suspicion and drain confidence in versions of PGP over 2.3a. I ask the following questions: Will source code be available for PGP2.5? Who was responsible for the modifications that make PGP2.5, version 2.5? and on the topic of PGP security generally: Why is MacPGP2.3 not signed? Why is MacPGP2.3 v1.1 not accompanied by a source code? When is the new version of PGP by Phil Z. going to be released? Or is 2.5 it? Can we expect similar tactics from the future versions of PGP? Perhaps some tag bits somewhere in messages to identify versions more quietly? I ask the operators of the remaining servers to remove the MIT server from their automatic mirror update list and to avoid a policy of excluding keys generated by any "non-conforming" software in their own operations. I ask users of PGP not to add future keys to the offending server. I call on cypherpunks to estlablish less formal key servers and develop more stealthy and secure methods of key distribution. -uni- (Dark)
The public keyserver running on martigny.ai.mit.edu will be unavailable starting Thursday, May 5, 1994 at approximately 9am EDT.
During the coming week, the Massachusetts Institute of Technology will begin formally distributing PGP 2.5, a new version of PGP that is based on the RSAREF 2.0 cryptographic toolkit, under license from RSA Data Security, Inc., dated March 16, 1994. When that distribution becomes available, the keyserver will return running PGP 2.5. At that time, the keyserver will no longer accept keys that are identified as having been created by versions of PGP lower than 2.4. (PGP 2.4 is Viacrypt PGP.)
Whoa... why not??? PGP 2.4 output is identical to 2.3a! Is PGP 2.5 somehow incompatible with 2.3a? Besides, if you take a PGP 2.3 key and change the version number to 2.4, the software can't tell the difference... Let's not play stupid games. Either it's compatible with 2.3 AND 2.4 or it isn't. Anyway, PGP 2.5 is news to me... Does it have any new features? Limitations?
During the coming week, the Massachusetts Institute of Technology will begin formally distributing PGP 2.5, a new version of PGP that is based on the RSAREF 2.0 cryptographic toolkit, under license from RSA Data Security, Inc., dated March 16, 1994. When that distribution becomes available, the keyserver will return running PGP 2.5. At that time, the keyserver will no longer accept keys that are identified as having been created by versions of PGP lower than 2.4. (PGP 2.4 is Viacrypt PGP.)
When will this supposed new version of PGP be released? Is it available on any FTP sites yet? I'm sure most of the people on this list would like someone to get a copy and check out the validity of it... PS Why didn't we hear this from Phil or one of the other coders first? -- ========================================================================== | Michael Brandt Handler | Philadelphia, PA | <grendel@netaxs.com> | | PGP 2.3a public key available via server or mail | ==========================================================================
participants (7)
-
Adam Shostack -
Alan Barrett -
Black Unicorn -
Brian A. LaMacchia -
Eli Brandt -
grendel@netaxs.com -
Matthew J Ghio