From: Rick Moen (rick at domain linuxmafia.com)
Date: Fri 10 May 2002 - 00:03:09 IST
Quoting Enda (enda at domain unison.ie):
[Ex-Fed private detective:]
> He wouldn't trust PGP because as far as he was concerned, the NSA
> wrote it. I know PGP is opensource and all, and all the original
> distributions were source code only for unix environments distributed
> on USenet..... but does anybody out there actually know of someone who
> has gone to the bother of auditing the PGP code?
First of all, who cares about PGP? It's basically dead, at this point.
And the available implementations for Linux, such as they are, are
proprietary and encumbered by the IDEA patent.
GnuPG, on the other hand, is none of that.
And, no, NSA didn't write it. For one thing, they would have done a
better job than, for example, PKZ's original "Bass-o-matic" symmetric
cipher -- which was pretty bad, and quickly replaced by IDEA.
But what must be examined is two-fold: algorithms and implementation.
The main GnuPG ciphers (their algorithms) have been subject to a great
deal of broad scrutiny -- ElGamal, DSA, RSA, Blowfish, 3DES.
So the main question is: How solid is the implementation? Your view on
this might depend on how much you esteem the international
public-knowledge crypto community. It's a fairly famous and important
piece of software, and so has been somewhat examined by the experts. On
the other hand, it's relatively new. So, pick your poison.
> Ever wonder why the case was dropped against him?
Because the threat was a paper tiger, and PKZ had called their bluff.
They never had a case. It was purely an intimidaton tactic that failed.
But, by the way, no suit was ever filed. PKZ was merely the subject of
a Federal "investigation" to determine whether he had violated export
regulations. Which amounted to a US Attorney issuing a press release to
that effect, and probably never doing anything else at all.
> Ever wonder why RSA didnt sue his ass for infringing their patents?
First and foremost, because of the likelihood of their _losing_, and
thereby losing their patent rights entirely. Remember, RSA was invented
publicly at MIT, and RSADSI tried and failed to claim patent rights
against them: MIT and all of its surrounding community never paid a
penny in royalties. Because of the irregular way the patent was
processed, it was always a very weak and vulnerable property.
Also, because PGP, Inc. readily agreed to compromise terms favourable to
RSADSI, whereby PGP, Inc. would use only RSADSI's RSAREF library, and
for non-commercial purposes only. So that usage didn't threaten
RSADSI's business, and actually promoted their products.
-- Cheers, "That article and its poster have been cancelled." Rick Moen -- David B. O'Donnel, sysadmin for America Online rick at domain linuxmafia.com
This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:16:44 GMT