At 6:24 PM -0400 9/27/00, brflgnk@cotse.com wrote:
Ray said: -- begin quote -- I do not buy the story that what happened to PGP was an accident; on the contrary, it was just NAI doing what they had to do to get approval to put it up for international downloads, the same as Lotus just did what it had to do. -- end quote --
I have to agree. The very existance of unhashed packets in the key structure is insecure. Given that unhashed packets were a design decision for V4 keys, and given that the PGP/NAI guys are arguably not bone-stupid, some coercion must have been brought to bear.
BTW, Wells Fargo is happy with Netscape 4.08, but not 4.07. I had wondered why a 4.08 release was built so long after 4.5x was available. I guess now I know.
I can't speak to the truth or falsity or plausibility of some of the claims here, but there is a general point: modularization. There is no real reason for crypto to be built into complex products, at least not when those products are well-suited for handling text (and even files). If speech is in the form of ASCII (or even MIME) text, then end-to-end crypto can be done using fairly basic (and hence more easily verfied, audited, and tested by time) modules which are NOT PART OF THE MORE COMPLEX PRODUCT. To wit, who really cares whether Netscape 4.08 or 4.07 has crypto built in so long as a robust, non-trapdoored crypto program is available/ We lose a lot of the advantages of orthogonality (independent programs, modules) when we seek "all in one" solutions. And we make the job of the NSA and SDECE and GCHQ spooks a lot easier when we adopt all-in-one solutions. --Tim May -- ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 831-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, "Cyphernomicon" | black markets, collapse of governments.