On Fri, 20 Oct 1995, Paul Koning 1695 wrote:
I'd be interested in reactions to the article in Network World, 10/16/95 issue, page 53. It describes a supposed cryptosystem that sounds bogus, but I can't make up my mind about how much is the system and how much is the confusion of the author.
I have heard a lot about the Elementrix POTP encryption algorithm. I remain skeptical of this algorithm until the source code is released.
Among other things, it says that POTP "doesn't use an encryption algorithm; instead it synchronizes random processes on two computers as they communicate". (I wonder if the author understands that that's just another way to describe encryption algorithms...) I don't believe this is an error caused by the author's ignorance of encryption. I remember hearing the same exact thing about POTP "not using an encryption algorithm" from one of the Elementrix spokespeople.
The other claim is that it eliminates the need to manage keys. "... there is no need for central servers where PGP keys ... are kept".
This seems like a strange claim because of course PGP doesn't require central servers, but more importantly, you can't do authentication without at least one piece of keying data being established out of band. That could be a certification authority public key, but you need something to get started.
Supposedly this thing was shown at Interop. Did anyone see it, and does the product make sense even if the article didn't?
I downloaded the secure email client for windoze and it seemed to make sense. I might have misunderstood the documentation but it says that it has to establish a "secure channel" with the other person by reciprocating emails with what I would guess to be key synchronization data. FYI, this client is available from the Elementrix FTP site at ftp.elementrix.com. ---------------------------------------------------------------- `finger -l markm@omni.voicenet.com` for public key and Geek Code Public Key 1024-bit: 0xF9B22BA5 Fingerprint: BD 24 D0 8E 3C BB 53 47 20 54 FA 56 00 22 58 D5