On Sun, 24 Aug 1997, Damaged Justice wrote:

http://www.shub-internet.org/why_not_pgp_5.html

It sounds like a collection of gripes, some apply to the unix, but if that works, it talks about the windows or mac version. Some thoughts: 1-5 The scanned source generates RSA keys. The old version generates RSA keys so keep it around. 8-10 - then I am currently doing the impossible... If they released it as a "non-beta", the gripe would be that they should have kept it beta until the very last problem is fixed. 11 - I linked with rsaref on both an intel and alpha linux. Lazyness or stupidity on the part of the user is not a problem with PGP. And where do you get a commercial unix version of 2.6.2? Or even the freeware - if they aren't going to bother with RSAref with 5.0, they won't with 2.6. And with RSAref properly configured, RSA keysize is limited. 12 - I found one problem with the alpha, and it was trivial to fix. 25 - /dev/random or other generation methods. I notice that pgpv hangs if there is no randseed.bin until I hit a few keys (it needs to be /dev/urandom in many cases). When the system has a random number generator, why do your own? 26 - There is no problem with DH the way PGP is using it. There are also attacks against RSA, which PGP tries to avoid. If you have found a real problem, identify it, otherwise you can worry as much about RSA as DH Also, it will accept RSA/SHA1, but won't generate them because - horrors - that would not be compatible with the older versions and there would be more gripes because of that. 28 - they have -c in the unix version. It only does 2.6 compatible encryption. 16 - They don't document the hkp, but it seems to be just the response to the form of a standard keyserver, so my http style scripts work. All keyservers still used that wierd port number, so everyone had to enable it in their firewalls. Some comments with merit: Keyservers - if pgp.com has a working one for 5.0, they should propogate the source. Options - There are entries to change the conventional cipher and hash, but these are ignored. pgpv accepts all, but pgpe cannot generate all, but many of these are to be "standard" or backward compatible, and that would cause more gripes. And if an option was not fully tested, or available in all versions, it would be good for another gripe point. But the source is available. If you don't like something, then fix it instead of complaining. --- reply to tzeruch - at - ceddec - dot - com ---