PGP 2.6 and the future
Seems to me, perhaps, that the introduction of 2.6 might be a precursor to RSA legally cracking down on anyone running pre-2.6 versions (accepting that 2.4, viacrypt, is ok). Scarey if you think about it, especially if the RSA folx are in bed with the fed, which doesn't seem that unrealistic considering the political climate. That, coupled witht he fact that no one has yet verified the seciurity of 2.5/2.6 lead me to seriously question the security of this new version, since we are essentially being forced to use it if RSA starts suing everyone, or gets the fed to crack down because of patent infringement. Sorry, just a rambling... ____ Robert A. Hayden <=> hayden@krypton.mankato.msus.edu \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> Political Correctness is \/ Finger for PGP 2.3a Public Key <=> P.C. for "Thought Police" -=-=-=-=-=-=-=- (GEEK CODE 1.0.1) GAT d- -p+(---) c++(++++) l++ u++ e+/* m++(*)@ s-/++ n-(---) h+(*) f+ g+ w++ t++ r++ y+(*)
-----BEGIN PGP SIGNED MESSAGE----- "Robert A. Hayden" writes:
Seems to me, perhaps, that the introduction of 2.6 might be a precursor to RSA legally cracking down on anyone running pre-2.6 versions (accepting that 2.4, viacrypt, is ok).
How can they crack down on key-servers running only the keymanagement code? I don't think they can, but if they're in cahoots with the FED's then they can do what they want because they have guns.
Scarey if you think about it, especially if the RSA folx are in bed with the fed, which doesn't seem that unrealistic considering the political climate. That, coupled witht he fact that no one has yet verified the seciurity of 2.5/2.6 lead me to seriously question the security of this new version, since we are essentially being forced to use it if RSA starts suing everyone, or gets the fed to crack down because of patent infringement.
I'm willing to wager that this 2.6 and maybe 2.5 versions are hacked by the NSA to put in their spiffy key-escrowed backdoor. Anyone think 2.6 *doesn't* have a backdoor added? - -- Allan Bailey, allan@elvis.tamu.edu | "Freedom is not free." Infinite Diversity in Infinite Combinations | allan.bailey@tamu.edu Esperanto: MondLingvo, lingvo internacia. ;; spook fodder ;; ;; CIA SDI bomb Waco, Texas PLO Saddam Hussein Peking Clinton explosion ;; Croatian cryptographic nuclear class struggle World Trade Center ;; quiche -----BEGIN PGP SIGNATURE----- Version: 2.3a iQCVAgUBLdfQ2019fA0AcDy9AQHdPgP8CdVlF0UY5z2807uJtfqmT71Ne1N+ytKv aXtVryRn2S/zBDLBLpHyv5o1Wxyqr55R1ziFzIDDpB7qoZgwKxw0iK/rIqqvgZ6s 5+QH5OpHl1lUx0YkRryjwPRemV8+RMc1cPKZECVR1FiAzv4TaxVHbl31vU0Obce3 oDSRYIm1PFU= =xUVo -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- "Perry E. Metzger" writes:
Allan Bailey says:
I'm willing to wager that this 2.6 and maybe 2.5 versions are hacked by the NSA to put in their spiffy key-escrowed backdoor.
How much are you willing to wager? I'll take the bet at any size.
WAit! Let me correct that statement before I lose my shirt. I'm willing to wager that 2.6 (and maybe 2.5) MIT'd PGP versions are hacked by the NSA to put in a backdoor. ^^^^^^^^^^ (emphasis added.) I'll bet you a C-note, Perry. Now how do you propose to prove or disprove this? - -- Allan Bailey, allan@elvis.tamu.edu | "Freedom is not free." Infinite Diversity in Infinite Combinations | allan.bailey@tamu.edu Esperanto: MondLingvo, lingvo internacia. -----BEGIN PGP SIGNATURE----- Version: 2.3a iQCVAgUBLdfTok19fA0AcDy9AQHKiwP/dtC8MQ40g0mnGrD2gnxDJVG+gtxl4enB u35Gv0Yt7S5IVks+TJoyfv4SGT8tyjDrBbY7+ibOkM38VDsHPpg4IWQlM9I449EZ 9XgvCK5RvMVfBBpruRbQGCjz7b09MsAbUK3R/jerbYS7HwUkMZq7WBk269xDWBy6 sC6eHZGBN+k= =nh85 -----END PGP SIGNATURE----- PS: just make make sure we agree on the definition of "C-note": C-note == $100.00 US
"Perry E. Metzger" writes:
Allan Bailey says:
I'm willing to wager that 2.6 (and maybe 2.5) MIT'd PGP versions are hacked by the NSA to put in a backdoor. ^^^^^^^^^^ (emphasis added.)
I'll bet you a C-note, Perry.
Done for $100.
Now how do you propose to prove or disprove this?
The commonly selected way to settle such things is to select a neutral referee to adjudicate based on available evidence. The source code is public, so it should it should be trivial to read it and make a decision as to whether anything untoward has been done. I'll accept any reasonably expert referee -- my selection of choice would be Hal Finney since he is a well known cypherpunk, is strongly familiar with the code and would recognise any tampering.
Well, Hal wanted to bet me too, but you were first. If he's still willing, I'll agree to him also.
Tampering may be defined given what you are claiming as the presense of what a reasonable cryptographer would refer to as a "back door".
Agreed.
Once we've settled on a judge and they've accepted the charge (we may need to pay the person for their time), we present our evidence to the person and allow them to make a decision.
Agreed.
I'll happily bet any larger sum, too, if you like.
I'm a University programmer/sysadmin. I.e., poor, but with a good InterNet connection. :)
I'd also request that a neutral third party hold the stakes. At your choice the party can be the judge or another individual mutually acceptable.
Sounds fine with me. If Hal, or another agreed upon judge is willing, I'll send my cheque in. -- Allan Bailey, allan@elvis.tamu.edu | "Freedom is not free." Infinite Diversity in Infinite Combinations | allan.bailey@tamu.edu Esperanto: MondLingvo, lingvo internacia.
bludy emacs VM doesn't stop you from sending an unsigned message yet. i'm going to have to make a binding for that tonight.... grrr... -----BEGIN PGP SIGNED MESSAGE----- "Perry E. Metzger" writes:
Allan Bailey says:
I'm willing to wager that 2.6 (and maybe 2.5) MIT'd PGP versions are hacked by the NSA to put in a backdoor. ^^^^^^^^^^ (emphasis added.)
I'll bet you a C-note, Perry.
Done for $100.
Now how do you propose to prove or disprove this?
The commonly selected way to settle such things is to select a neutral referee to adjudicate based on available evidence. The source code is public, so it should it should be trivial to read it and make a decision as to whether anything untoward has been done. I'll accept any reasonably expert referee -- my selection of choice would be Hal Finney since he is a well known cypherpunk, is strongly familiar with the code and would recognise any tampering.
Well, Hal wanted to bet me too, but you were first. If he's still willing, I'll agree to him also.
Tampering may be defined given what you are claiming as the presense of what a reasonable cryptographer would refer to as a "back door".
Agreed.
Once we've settled on a judge and they've accepted the charge (we may need to pay the person for their time), we present our evidence to the person and allow them to make a decision.
Agreed.
I'll happily bet any larger sum, too, if you like.
I'm a University programmer/sysadmin. I.e., poor, but with a good InterNet connection. :)
I'd also request that a neutral third party hold the stakes. At your choice the party can be the judge or another individual mutually acceptable.
Sounds fine with me. If Hal, or another agreed upon judge is willing, I'll send my cheque in. - -- Allan Bailey, allan@elvis.tamu.edu | "Freedom is not free." Infinite Diversity in Infinite Combinations | allan.bailey@tamu.edu Esperanto: MondLingvo, lingvo internacia. -----BEGIN PGP SIGNATURE----- Version: 2.3a iQCVAgUBLdfadU19fA0AcDy9AQF6MgP+LNU5cbOIko4EyIXc8xkA3h3vQf6UOOIA RsysJhbY8NWjtBZ2yI3yxewrLecb0+448tLmFjuPDM+ZlORcP7OPS30qMOzuO8oe VZC/nWm+SvD2Rgh5T8pI5RjcbD8SLozBlcwMVdvnmEyxngCaRLmlBoMLWqmeom9k RJ6PD0FHYKw= =8pmK -----END PGP SIGNATURE-----
Allan Bailey says:
I'm willing to wager that 2.6 (and maybe 2.5) MIT'd PGP versions are hacked by the NSA to put in a backdoor. ^^^^^^^^^^ (emphasis added.)
I'll bet you a C-note, Perry.
Done for $100.
Now how do you propose to prove or disprove this?
The commonly selected way to settle such things is to select a neutral referee to adjudicate based on available evidence. The source code is public, so it should it should be trivial to read it and make a decision as to whether anything untoward has been done. I'll accept any reasonably expert referee -- my selection of choice would be Hal Finney since he is a well known cypherpunk, is strongly familiar with the code and would recognise any tampering. Tampering may be defined given what you are claiming as the presense of what a reasonable cryptographer would refer to as a "back door". If you have any other suggested neutral third parties with requisite skill I'll happily tell you if they are acceptable. Once we've settled on a judge and they've accepted the charge (we may need to pay the person for their time), we present our evidence to the person and allow them to make a decision. I'll happily bet any larger sum, too, if you like. I'd also request that a neutral third party hold the stakes. At your choice the party can be the judge or another individual mutually acceptable. Perry
"Robert A. Hayden" writes:
I'm willing to wager that this 2.6 and maybe 2.5 versions are hacked by the NSA to put in their spiffy key-escrowed backdoor.
Anyone think 2.6 *doesn't* have a backdoor added?
Yup. In order for ANYONE with sense to trust this release, they're going to have to release the source like they have in previous versions. If there is a backdoor in the code, it will undoubtedly be spotted rather quickly, as there will be hundreds, if not thousands of people going over the code... And if there is a backdoor, it will be quickly eliminated via a patch file. Personally, I'm going to compile the code myself, just to make sure they haven't tried to sneak a backdoor into the binary and not the source... As for patching PGP 2.6 to read previous messages: since RSAREF is going to be changing, I don't know how likely this is. Our best bet would be to include RSAREF 2.0, which I believe can still decode earlier messages, as well as the new RSAREF, and put in code to recognize which version of PGP the message was created with and use the "apppropriate" version of RSAREF. Anyway, this should be a moot point after about two weeks or so, as PGP v2.6 will undoubtedly appear in the rest of the world.. -- ========================================================================== | Michael Brandt Handler | Philadelphia, PA | <grendel@netaxs.com> | | PGP 2.3a public key available via server / mail / finger | ==========================================================================
participants (4)
-
allan@elvis.tamu.edu -
grendel@netaxs.com -
Perry E. Metzger -
Robert A. Hayden