How to make fixes stick (Was Re: PGP 2.5 Beta Release Over, PGP 2.6 to be released next week)
According to Jeffrey I. Schiller, PGP 2.6 will issue broken messages, unreadable by earlier legal versions of PGP (Viacrypt's 2.4 in USA and Canada, and any version outside backward-crypto-land) In summary, how do we make our fixes to this obvious bug stick? (Institutional paranoia on) To me, this change is an obvious step in satisfying the TLA's desire for a segmented crypto market to slow widespread use of strong crypto. On the one side, we have misapplied ITAR regulations preventing export of a worldwide standard. On the other side, we have a wrongly-granted patent preventing use of an imported worldwide standard. PGP is a de-facto worldwide standard, and they're trying to break it. (Institutional paranoia off) From the keyboard of: Adam Shostack <adam@bwh.harvard.edu>
And 2.4 is legal, if the 2.6 code doesn't recognize that, well, then that code is buggy & will need to be fixed. :)
Adam has the right idea. The question is, how do we make such a fix stick? In order to beat the "canonical release" advantage of the broken 2.6, we'll need to spread the word widely (at least until a 2.6-compatible PGP is released and ported to the full range of current platforms by our outside compatriots). Some suggestions for after we create such patches: Letters to computer magazines (Infoworld, Wired, PC Week, etc.) Add entry to PGP FAQ about communicating with non-USA/Canada PGP users Add entry to PGP WWW pages in UK Weekly postings of the patches to alt.security.pgp (from outside NA) Monthly postings of the patches to alt.sources.patches (from outside NA) Press releases in other appropriate newsgroups, repeated Come up with others, particularly for the non-net world. :-) Richard
Richard Johnson: | Adam has the right idea. The question is, how do we make such a fix | stick? In order to beat the "canonical release" advantage of the | broken 2.6, we'll need to spread the word widely (at least until a | 2.6-compatible PGP is released and ported to the full range of current | platforms by our outside compatriots). I think the way to do it is to 'de-cannonize' the MIT release of the code. That is to say, not make any mention of MIT as an FTp site for it, but instead, make a contrib directory at the top level, with patches & a readme. Then tar that up, perhaps as PGP2.6.1, and put it on soda, EFF, and other major FTP sites. In the "where to get PGP" docs, make no mention of the FTP site at MIT, or perhaps make mention of the fact that it fails to handle releases outside of the US properly, and that this problem is not being fixed for political reasons. Adam -- Adam Shostack adam@bwh.harvard.edu Politics. From the greek "poly," meaning many, and ticks, a small, annoying bloodsucker.
participants (2)
-
Adam Shostack -
Richard Johnson