I know it doesn't exercise key technology and relies on the secrecy of the algorithm (which from my very limited knowledge on cryptography I think makes it almost doomed from the start (?))...
Yes, it does. Without the slightest insult of any kind to your friend, the problem is that the vast majority of "new" algorithms have actually been invented time and time again long ago. And the vast majority of those have been shown to have vulnerabilities. Phil Zimmerman writes about this in the PGP docs. It is overwhelmingly likely that your friend has, no doubt with the best of intentions, stumbled across something that has a simple flaw he doesn't know about. Further, secrets are hard to keep. PGP works _because of_ its publicity, not in spite of it. When the algorithm must be kept secret, every little thing must be watched. Just a few months ago, someone cracked the encryption on Microsoft's Win95 registry database by taking a snapshot of the contents of memory at a key moment. Other hacks break other efforts at secrecy. In fact, no sensible user should trust anything to a secret algorithm. I may not be able to tell the difference between Diffie-Hellman and Lillian Helman...but I can go talk to those who can. If the coders and evaluators I trust tell me there's a problem, I can go hunt up another solution. Doing anything else buying a pig in a poke. Now, there are a lot of not-sensible users out there. Slick marketing can result in a bundle being made. But it's not the best way to go. -- Bruce Baugh bruce@aracnet.com http://www.aracnet.com/~bruce