Re: PGP bastardization (fwd)
He has no legal comeback (ha, there's an interesting irony about the author of the world's leading piece of guerilla software...) and the most he can do is apply peer pressure to get the guy to back down.
The way I read it, he was concerned about including the hacked versions under the "PGP" banner. With this, I agree. PGP and prz will always be inseparable, and I sure wouldn't want someone to take something of mine, change it into something I didn't like, and keep my name on it. As a matter of respect and decency for anyone's work (and especially prz's), a separate and distinct identity should accompany the changes. =D.C. Williams
Tom Rollins expresses his astonishment:
I was shocked to receive an E-mail from Phill Zimmermann.
I have pieced together a multiple cipher that consists of the chain IDEA-TRAN-IDEA-TRAN-IDEA. Where IDEA is the same IDEA (128 bit key + 64 bit IV) algorithm that pgp uses and TRAN is a byte transposition across the 4K buffer block (each tran uses 32 bit key). Thus giving this multiple cipher a keyspace of 640 bits.
Can you spell O-V-E-R-K-I-L-L? This might be an interesting homework exercise but even 128 bits of keyspace is nowhere near being exhausted by the set of passphrases contemplatable by the average human. Bigger is not always better or more useful. Phil comments as follows:
PGP's reputation, and my repuitation (which is tied to PGP), depends of people trusting the quality of encryption algorithms and protocols that I have carefully selected for PGP, using all of my knowledge and experience. If someone were to put a new encryption algorithm into PGP without my permission, it could serve to tarnish the reputation that PGP has earned over the years.
I have to agree with Phil here. While the guts of PGP are extremely useful for building other crypto applications, we should avoid using the name PGP for anything other than the products given that name by Phil and his assignees. Otherwise, PGP's reputation will almost certainly be diluted by association with large numbers of derivative applications, which although useful, have not already proven themselves over time in the same way that PGP has. A good example of this is the popular disk encryption utility which uses an MD5 passphrase hash and IDEA/CFB encryption similar to PGP's conventional encryption mode. As "Secure Drive", it is a valuable addition to our privacy arsenal. Calling it "PGPDrive", on the other hand, would not have been a good idea. We do not need a zillion other products with names like PGPPhone, PGPTerm, PGPmail, and numerous hacked versions of PGP itself floating around if we are to keep PGP synonymous in the public mind with a single unambiguous gold standard for privacy and strong crypto. What Tom has done may or may not be a good idea, but he should call it something that doesn't have PGP in the name. TomCrypt perhaps? :) -- Mike Duvos $ PGP 2.6 Public Key available $ mpd@netcom.com $ via Finger. $
participants (2)
-
D.C. Williams -
mpd@netcom.com