Someone mistitling itself "Truthmonger" writes:
Now that you seem to have actually read what I have written, perhaps you might consider reading what you, yourself, have written. I stated my case for contending that PGP=>2.5 has been compromised, and got back wild-eyed demands for proof of that which I did not claim, mainly, that PGP had been 'broken.'
To reiterate my original observations: 1. The development of RSA was funded and controlled by the spooks. i.e. - The National Science Foundation and the Navy. 2. The campaign of persecution against Phil Zimmerman ground to a halt once he agreed to PGP using the spook-developed RSAREF subroutines to implement the RSA functions, instead of PGP's original subroutines.
If people with guns came to me and told me that software I had written now had to use their subroutines, instead of my own, then I would consider my software 'compromised', regardless of whether or not I could immediately discern any anomalies in it. It is far, far easier to 'build' a back-door, than to 'find' one.
"TM" (I can't bring myself to use it's full name, since it is so totally inappropriate) has made the following claims: 1. "PGP => 2.5 has been compromised." 2. "It is far, far easier to 'build' a back-door, than to 'find' one." His main arguement rests on the fact that the later versions of PGP use RSAREF, rather than Phil's own code. As support of the first claim, he claims:
1. The development of RSA was funded and controlled by the spooks. i.e. - The National Science Foundation and the Navy.
I'm not sure what you're referring to with "RSA" here - is it the algorithm or the company? If it's the algorithm, you may or may not have the intellectual capacity to verify it yourself - if you don't you have no business telling us it's compromised, and if you do, either publish the problem (and claim your 15 minutes of fame), or admit there is no hole you are aware of. There are plenty of people on this list who can follow the math, even if you can't. If it's the company, then you are either ignorant or lying. RSA has *not* had a good relationship with the USG, as those who have been following the matter over the years know well. Most recently, you will notice that it has licensed some of it's patents to a Japanese chip maker in an effort to avoid problems with US export restrictions. Is this the action of a USG patsy?
2. The campaign of persecution against Phil Zimmerman ground to a halt once he agreed to PGP using the spook-developed RSAREF subroutines to implement the RSA functions, instead of PGP's original subroutines.
PGP 2.5 was released in March 1994, about a year after Phil was indicted. It took until January 1996 for the indictment to be dropped; nearly another two years. If a deal was struck, why did it take so long? The dismissal of Phil's persecution was almost certainly due to (a) the approach of the statute of limitations, and (b), the very high probability that he would be found innocent. if they took him to trial. The government simply ran out of legal pretexts under which to harass him. Now that your supporting assertions have been shown to be flawed, let's return to the original claims. 1. "PGP => 2.5 has been compromised." 2. "It is far, far easier to 'build' a back-door, than to 'find' one." The problem, TM, is that we have full source code, and anyone with the intelligence and knowledge required can check it independently. PGP and RSAREF are both distributed as source. There is not one byte of instructions or data that have to be accepted on faith - no precompiled libraries, no mysterious DLLs or ActiveX controls. If there is a backdoor, show it to us. Your second claim, that it is easier to build a backdoor than to find one, is true but not pertinant. Let's try an analogy. 1. You buy a house from a builder. You, being paranoid, wonder if the builder has included a secret door to enable him to enter the house without your permission. You investigate what you can, but in the end are left with some doubts. 2. You buy a set of blueprints from the builder, and examine them carefully for weaknesses. You then buy a plot of land of your choice, hire the workers you want, get materials from any supplier you wish. You supervise the construction yourself down to the last detail. Others who have purchased the same blue prints include trusted independent architects and construction engineers, who concur with you thatno hidden back doors can be found in the design. At this point, how worried are you that the builder has left himself an unauthorized entry? The situation with PGP >=2.5 is like the second scenario, not the first. What it comes down to "TM" is: Put up or shut up. You can't spread FUD in a situation where there is no unknown to Fear, no Uncertainty to deal with, and no Doubt that we have all the knowledge we need. Respond in a substantive manner. So far, you've avoided doing so. Peter Trei trei@process.com