PGP

[Werner Koch]

On Mon, 7 Feb 2000, L. Sassaman wrote:

> The commercial version *does not* have back doors. Ignore this FUD.

Okay, prove it.

If you look at the source of any good cryptography software you will
notice that the authors undertake so many precautions and you really
can say, they are paranoid.  One example is the forthcoming Twofish
algorithm which uses the 256 bit form of it and not the 128 bit one -
this is really paranoid but done anyway.  

And now you say, take this compiled program, believe them that there are
no backdoors in it and if you want, you can take the source and
compile it your self - however there is no prove that the usually
distributed binary version has been build from the known source code.

So tell me the probabilities that you 

  a) can break the algorithms 
  b) find a hole in the implementation
  c) that someone has tampered with the product

IMO, c has a probability which is orders of magnitude higher than b.  

Is there a trusted group of persons who did supervise the whole
production process from the published source, over the tool chain to
the production of the CDROM up to the distribution channels?  

I do trust Debian more than a company which got quite a lot of orders
from governmental agencies - but okay, this is only my personal
opinion.

BTW, the Transmeta CPU has a very similar problem, given the huge
amount of software it relies on.

-- 
Werner Koch at guug.de           www.gnupg.org           keyid 621CC013