-----BEGIN PGP SIGNED MESSAGE-----
"warlord" == Derek Atkins <warlord@mit.edu> writes:
warlord> This is where you are very wrong. I am not saying that "if warlord> you can't find any holes it must be secure". What I am warlord> saying is that the source is available, and thousands of warlord> people have looked at the source, and none of them have warlord> found any holes in it. While I largely disagree with Dr. Cohen's conclusions, I do think we should extinguish the "Examine the source!" mantra. I find it surprising that people so familiar with public key cryptography would be reassured by the argument, "Here, this algorithm has been examined by thousands and nobody has found a trap door." Public key cryptography demonstrates that it is possible, in principle, to construct an algorithm with a trap door that nobody else is *ever* going to find. I wonder whether Rivest could construct a hash function which only he could invert... :-) When an algorithm is essentially defined by a tangle of C code, like the PGP random number generator, the "Examine the source!" mantra becomes even more hollow. Ironically, the fact that it was designed by competent cryptographers potentially makes it even more dangerous. Of course, there is no practical alternative at this time. Maybe someday your entire operating environment will be formally proven correct, and the cryptographic algorithms will be provably as hard as factoring, and factoring will be proven hard, and the system will ask you to flip a coin and type "0" or "1" every time it needs a random bit. But until that day, you will have to decide whom to trust. Personally, I trust the authors of PGP. So do most of the people on this list, I suspect. Maybe Dr. Cohen can convince me that my trust is misplaced; but to do so, he will need something better than NSA conspiracy theories. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by Mailcrypt 3.3beta, an Emacs/PGP interface iQCVAwUBMB5IU3r7ES8bepftAQGRvQP+Masb3fWdJg9UA6YYufuVZ5EZU8wfhuar IXpjID+iSyVV1UnMN5CiWj8912H3buUslygVnbCwv/vnuKdtz5h9k2+lpCUX4r11 2QVAWg4ij1LiA1DU7N2l2K4oqb5mszVZrQcW6aJJzqiuPcvij5Vl7cN3hDTfdttJ x9emd0xEjPA= =nxBy -----END PGP SIGNATURE-----