In article <9308280330.AA24324@toad.com>, peter honeyman <honey@citi.umich.edu> wrote: : i'm impressed. (honest.) but the task here isn't to compare viacrypt : to pgp -- they use different rsa engines -- it's validating that viacrypt : doesn't have a backdoor. the diff scheme you describe presupposes that : this step has been done, but it has not, and i think it would be very, : very hard to do. My understanding is that the two pieces of software are very similar. A full decompile and analysis would be a pain (but doable and worthwhile, if one is paranoid enough) but I don't think it's necessary. My thought is that once one has isolated the differences, those alone would get scrutinized. One would isolate the rsa engines by difference, pretty up the code, and then verify that it doesn't have any backdoors. So long as the two versions are closely related, the code that has to be understood apart from pgp should be relatively small and that would make the verification process much easier.