Re: Information [for new PGP user]

I'll bet you can't find 10 out of 1,000 users who have read the total source, let alone comprehended and validated it.
Depending on the system, compiler and version of PGP, compilation may or may not function as expected.
I know, I class myself as quite an experience programmer (though I haven`t done a lot of code recently) but I spent several days weeding through the bugs and it still wouldn`t compile on Borland C++ V4.51 so I just read the core code and hoped the executable was really derived from that code. I`m normally more paranoid than that but I just don`t have the time to spend getting borland to compile it. It won`t even compile on my system with the borland makefile than comes with PGP. Has anyone else on here managed to get it to compile under Borland and how long did it take them???? Datacomms Technologies web authoring and data security Paul Bradley, Paul@fatmans.demon.co.uk Paul@crypto.uk.eu.org, Paul@cryptography.uk.eu.org Http://www.cryptography.home.ml.org/ Email for PGP public key, ID: 5BBFAEB1 "Don`t forget to mount a scratch monkey"

Paul Bradley wrote:
I'll bet you can't find 10 out of 1,000 users who have read the total source, let alone comprehended and validated it. Depending on the system, compiler and version of PGP, compilation may or may not function as expected.
I class myself as quite an experience programmer (though I haven`t done a lot of code recently) but I spent several days weeding through the bugs and it still wouldn`t compile on Borland C++ V4.51 so I just read the core code and hoped the executable was really derived from that code. I`m normally more paranoid than that but I just don`t have the time to spend getting borland to compile it. It won`t even compile on my system with the borland makefile than comes with PGP.
Yet another success (NOT!) story for PGP. I wonder how many people on this list would be willing to bet something *really* important to them on the security of PGP?

In <3284BF7A.36E0@gte.net>, on 11/09/96 at 09:29 AM, Dale Thorn <dthorn@gte.net> said:
Yet another success (NOT!) story for PGP. I wonder how many people on this list would be willing to bet something *really* important to them on the security of PGP?
Dale you are truly a clueless shmuck. I would be truly intrested to see how many platforms and with how many different compilers the source code of YOUR program would work. -- ----------------------------------------------------------- whgiii@amaranth.com <William H. Geiger III> -----------------------------------------------------------

whgiii@amaranth.com wrote:
In <3284BF7A.36E0@gte.net>, on 11/09/96 at 09:29 AM, Dale Thorn <dthorn@gte.net> said:
Yet another success (NOT!) story for PGP. I wonder how many people on this list would be willing to bet something *really* important to them on the security of PGP?
Dale you are truly a clueless shmuck. I would be truly intrested to see how many platforms and with how many different compilers the source code of YOUR program would work.
Tell ya' what, Mr. know-it-all. From 1983 to 1988, I developed my own database program and ported it to 7 different small-computer O/S's. Much of the re-porting for updates I handled with custom utilities I developed for the purpose. I wouldn't claim to have expertise equal to some of those whizzes from IBM et al, but I sure as hell know what it is to make code *very* portable. Problem with PGP (apparently) is multiple sources (programmers) and just a helluva big size for what it does (for most people). Now, Win95, WinNT, etc. are also big for what most people will use them for, but then again, those programs will *never* be issued with source, and anyway, you don't have to bet the farm on their security.

In <328523F4.3BC@gte.net>, on 11/09/96 at 04:38 PM, Dale Thorn <dthorn@gte.net> said:
Dale you are truly a clueless shmuck.
I wish to apologise for the above comment. I had confused Dale with Don Wood of Snake-Oil fame. I am confused by Dale's repeated attacks on PGP without offering viable alternatives for a public-key encryption system. Sorry, I'll try to rember ot count to 10 before I post replies to the list. :) -- ----------------------------------------------------------- William H. Geiger III http://www.amaranth.com/~whgiii Geiger Consulting WebExplorer & Java Enhanced!!! Cooking With Warp 4.0 Author of PGPMR2 - PGP Front End for MR/2 Ice Look for MR/2 Tips & Rexx Scripts Get Work Place Shell for Windows!! PGP & MR/2 the only way for secure e-mail. Finger whgiii@amaranth.com for PGP Key and other info -----------------------------------------------------------

William H. Geiger III wrote:
In <328523F4.3BC@gte.net>, on 11/09/96 at 04:38 PM, Dale Thorn <dthorn@gte.net> said:
[snip]
I am confused by Dale's repeated attacks on PGP without offering viable alternatives for a public-key encryption system. Sorry, I'll try to rember ot count to 10 before I post replies to the list. :)
I've made errors attributing stuff to wrong parties (oops, cringe). And I apologize for not offering a viable alternative to PGP. In another posting, I made a suggestion for making the source code to PGP *really* public, i.e., in a form that the average programmer can verify and edit (for personal use only, of course). I'm tending to think that, instead of using PGP for all encoding (even though it may have multiple facilities for all situations), a message could be encrypted with a good trusted private-key system or whatever, then the private key encrypted with the Public Key software and sent either separately or with the message. The above might be more cumbersome, but it could be automated with messaging automation techniques. At least it would reduce the dependence on PGP to encrypting only the private key(s), which would encourage using PGP at its most secure (slowest) level of encryption for the entire process of encrypting the private key data. As an aside to OTP's, this would not apply for obvious reasons, i.e., the length of the key. Of course, this still requires validation of PGP in whatever portion of the code would be required to encode the private key. My recommendation for really serious users would be to separate out that code and recompile it separately from the remainder of PGP (for personal use only, of course). And in case it got lost in my rhetoric, I do appreciate that there's no substitute for the Public Key process.

Paul Bradley wrote:
I'll bet you can't find 10 out of 1,000 users who have read the total source, may not function as expected. compile on my system with the borland makefile than comes with PGP. Yet another success (NOT!) story for PGP. I wonder how many people on this list would be willing to bet something *really* important to them on the security of PGP?
I'd have more trouble trusting the Loose Nut on the other end than the software. Security is more than the software, it is picking proper Pass Phrases (which I am not too sure about), it is keeping the keys where it is less than easy to get at, it is making sure the machine isn't compromised etc. Also, I ask you once again, Could you please format your email to under 80 columns? You might have something valuable to say, but I can't stand to read any of your posts more than 2 or 3 lines because of the way the lines break. Thank you. Petro, Christopher C. petro@suba.com <prefered for any non-list stuff> snow@smoke.suba.com
participants (5)
-
Dale Thorn
-
Paul Bradley
-
snow
-
whgiii@amaranth.com
-
William H. Geiger III