On Thu, 7 Nov 1996 14:41:06 -0500 (EST) Adam Shostack <adam@homeport.org> writes:
Dale Thorn wrote: | stewarts@ix.netcom.com wrote: | > >> On Tue, 5 Nov 1996, Edward R. Figueroa wrote: | > >> > Last, I would like to know once and for all, is PGP compromised, is | > >> > there a back door, and have we been fooled by NSA to believe | > >> > it's secure? | > You can read and compile the source code yourself.
| Really? All 60,000 or so lines, including all 'includes' or attachments? | | I'll bet you can't find 10 out of 1,000 users who have read the total source, | let alone comprehended and validated it.
The fact that most readers have not examined it does not mean that the availability of the source is not important. If the source was tightly held, perhaps some experts would have seen it. Thats not likely, security experts are in high demand today, with companies paying a lot for their time. Phil could not have competed.
In addition, up and coming experts, curious amatuers, and students couldn't have looked at it. Having your protocol open to wide review is a good thing even if few people take advantage of it, because you may hire the wrong experts. The experts you hire may miss something. Someone may have a new attack under development, and not be able to try it against your software.
The multitude of hackers who ported pgp also contributed a large stack of bug reports and fixes. Without source availablity, the mac, os/2, amiga & UNIX ports would be held up, or perhaps not exist.
Publicly distributed source code also tends to be of higher quality (see Fuzz Revisited, at grilled.cs.wisc.edu)
In short, if you're paranoid, feel free to look over the source. But the fact that most people have never peeked under the hood is not a strike against pgp at all.
-- "It is seldom that liberty of any kind is lost all at once." -Hume
Maybe you missed my point, or I miss-communicated. My question is as follows: If PGP and DES are as secure as thought to be, then why is it not ruled illegal software, just as they do with silencers, narcotics, certain type weapons, etc..... My opinion is "NOT A PARANOID VIEW, BUT RATHER A REALITY". I find it impossible that software that could be a National Security Threat, being shared by the masses! I believe either people are nieve, or ignorant of the capability of the NSA. If there are "back-doors to the algorithms, you can bet your life you and no one else will find out. The conceivability that encryption on the Net is safe, is ludicrous! Just my thoughts, and not paranoia. Ed