Werner Koch
Tue, 8 Feb 2000 08:30:47 +0100

On Mon, 7 Feb 2000, L. Sassaman wrote:

> The commercial version *does not* have back doors. Ignore this FUD.
Okay, prove it. If you look at the source of any good cryptography software you will notice that the authors undertake so many precautions and you really can say, they are paranoid. One example is the forthcoming Twofish algorithm which uses the 256 bit form of it and not the 128 bit one - this is really paranoid but done anyway. And now you say, take this compiled program, believe them that there are no backdoors in it and if you want, you can take the source and compile it your self - however there is no prove that the usually distributed binary version has been build from the known source code. So tell me the probabilities that you a) can break the algorithms b) find a hole in the implementation c) that someone has tampered with the product IMO, c has a probability which is orders of magnitude higher than b. Is there a trusted group of persons who did supervise the whole production process from the published source, over the tool chain to the production of the CDROM up to the distribution channels? I do trust Debian more than a company which got quite a lot of orders from governmental agencies - but okay, this is only my personal opinion. BTW, the Transmeta CPU has a very similar problem, given the huge amount of software it relies on. -- Werner Koch at keyid 621CC013