A reasonable response. My question is: Why do you think that the key generation algorithm used by PGP is secure? Specifically, how do we know there is no subtle back door that reduces the problem of testing the typical key space to a solvable problem in today's technology?
I don't believe I made ANY "vague, wild, unsupported claims" however, that is certainly a matter of opinion.
OK, let me put my 2 pence collaboration: Let's see. I can try to write a nice program to protect myself. I could XOR something with my key (00000000) and use that. Then tell my fellows and all of us use the same program. Or I could even be more tricky and implement something more complex. Now, my knowledge, time and resources are limited. I see that MIT or whomever has made a program that, under test, is more secure than my XOR 00000000 implementation. I may not fully trust them but it is better than anything I could come out with. So, my position is: if it's the best thing I have access to, I only have two options: either I use it or I give up with cryptography at all. Right? Now, I think that what I am trying to say is: if you can come up with something better, please do. All the Free (and Wannabe Free) World will be eternally grateful to you. If you can't, then you only have the above two options. Bragging about hypothetical fears that you can't demonstrate at all is not only stupid, it is also pesimistic, destructive, improductive and threatening all kinds of freedom. Nazi perhaps? Dunno. And I don't care. Security? As you have already been told, you can only prove it negatively. So, since you can only prove that it can fail, but can't prove it can't, any discussion is irrelevant unless you have any real proof. All the process is based in a fight against time: you are assuming that nobody can break your crypto process before the secret becomes irrelevant. All your security lies in the fact that *YOU* don't know of anybody that can break the problem but can't deny that someone could ever possibly discover a clever algorithm. Thus: either you have proofs that it can be broken, or know a better algorithm, or can name someone who can proof s/he can break it, or you just trust it the best you can. Any other kind of discussion is a sophism. Dr?... hum. Let me try then a different analogy: I do have a patient with a letal disease with no known therapy. Then someone comes up with A, which cures people, but -being new- could maybe possibly perhaps have some secondary effect that no one knows yet and can't be demonstrated (but could exist). Now, should I trust the lifes of my patients to therapy A or should I wait for some years to be secure it has no secondary effects?. Even so, since the fact nobody has reported them doesn't mean it could not have them (only that nobody has discovered them), I can't be 100% sure. Oh, well, I guess that if your doctor never gave you a therapy 'cos you can never be 100% sure, you would not like the idea. Would you trust your life to that therapy when you know for sure you are about to die if you don't? What if A saved 100%, but there was a therapy B that saved 20% with no known secondary effects either? Which one would you chose? Thus, can you trust lives and whatnot to something not fully known? I'd say that unless you have something better, that's your better bet. So, since you know for sure that if you don't use any cryptography at all, you must communicate in the clear, what do you do? So, can you come up with something better or not? jr