From owner-freebsd-security  Fri Sep  8 06:26:21 1995
Return-Path: security-owner
Received: (from majordom@localhost)
          by freefall.freebsd.org (8.6.12/8.6.6) id GAA06511
          for security-outgoing; Fri, 8 Sep 1995 06:26:21 -0700
Received: from alpha.dsu.edu (ghelmer@alpha.dsu.edu [138.247.32.12])
          by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id GAA06505
          for <security@freebsd.org>; Fri, 8 Sep 1995 06:26:19 -0700
Received: (from ghelmer@localhost) by alpha.dsu.edu (8.6.12/8.6.12) id IAA18134; Fri, 8 Sep 1995 08:25:34 -0500
Date: Fri, 8 Sep 1995 08:25:34 -0500 (CDT)
From: Guy Helmer <ghelmer@alpha.dsu.edu>
To: Piero Serini <piero@strider.ibenet.it>
cc: Guido.vanRooij@nl.cis.philips.com, piero@strider.ibenet.it,
        stesin@elvisti.kiev.ua, wollman@lcs.mit.edu, security@freebsd.org
Subject: Re: Do we *really* need logger(1)?
In-Reply-To: <199509081248.OAA22923@strider.ibenet.it>
Message-ID: <Pine.OSF.3.91.950908081847.18045A-100000@alpha.dsu.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: security-owner@freebsd.org
Precedence: bulk

On Fri, 8 Sep 1995, Piero Serini wrote:

> Hello.
> 
> Quoting from Guido van Rooij (Fri Sep  8 13:10:13 1995):
> > I dont like a root password stored in a program.
> 
> You can do this in a secure manner. But I agree with you.
> 
> > Better is to have a
> > diffie-hellman scheme to obtain a session key.

Better yet (IMHO), use a key known only to the client and the server that,
when concatenated with the data on the client, provides an MD5 signature
on the data that the server can verify (like I believe NTP's protocol
works) -- this avoids patent problems _and_ the US ITAR encryption export
restrictions... 

Guy Helmer, Dakota State University Computing Services - ghelmer@alpha.dsu.edu