2 Sep 2005 16:41
Re: thoughts on sha-1
Stuart Tares <Stuart.Tares <at> tares.net>
2005-09-02 14:41:10 GMT
2005-09-02 14:41:10 GMT
Anthony G. Atkielski said the following on 02/09/2005 12:50: >>Do you have a direct contact with PGP Corp that will tell you who >>has access to the source code or who has signed a mutual non >>disclosure? > > > You're saying that PGP no longer even publishes the source code? I > guess the situation is worse than I thought. I am not saying that they do not publish the source code (http://www.pgp.com/downloads/sourcecode/). I was saying that how do *YOU* know who has had access to the source code and who has reviewed it ? > Who are they, and where have they published their evaluations? I am not at liberty to say who they are because of the job positions that they are in. However, even if they came forward and published their evaluations, would you trust them ? Please refer to Ken Thompson's article again - even if you have the source and someone has reviewed it, it does not mean that it is safe. > The people who wrote it probably have fewer motivations to put > backdoors into it, and the source is probably more widely circulated > and examined. You are arguing against yourself here. First you say "And I suspect nobody has reviewed GnuPG, either, although I'd trust it more than PGP." and now you are saying that it is more widely examined. Both statements cannot be true. Why would the GnuPG team have less motivation than PGP Corp. Using your own argument, they all human and it is possible to blackmail them. > I don't know who is writing PGP. You may not know all of the people who write PGP but you also don't know all of the people writing GnuPG or any other bit of software which you do not create yourself. > I think not. The gangsters didn't notice that the FBI had put a > keylogger on their machines. That was bad physical security from them. Their threat model was not calculated properly. They thought that they were safe by using encryption but forgot that access to the passphrase and private key negated everything. -- Stuart Tares List Moderator | GnuPG v1.4.1 | PGP 8.0.3 Thunderbird 1.0.6 | Enigmail 0.92.0.0 My OpenPGP Key: http://www.biglumber.com/x/web?qs=0xD56109E630C8CCF6
RSS Feed