open source

Michael H. Warfield
Wed, 25 Oct 2000 09:33:36 -0400

On Wed, Oct 25, 2000 at 02:24:56PM +0200, Florian Weimer wrote:

> Wesley James Landaker <> writes:

> > Second, if someone wanted to copy PGP, what's to reverse engineer?!
> > PGP's source is freely availible. You can download it and look at it
> > or compile it or whatever. You don't have to "reverse engineer"
> > anything. =)

> Didn't NAI strip all comments before publication? Is there any
> documentation of the design? I think a lot of reverse engineering is
> necessary before you can make substantial changes to the code. ;-)
There is also an OpenPGP working group in the IETF. Protocols, message formats, headers, assigned numbers, all that good stuff, has to be defined for the OpenPGP standard and working documents. In fact, in order to become an IETF standard, OpenPGP must have at least TWO interoperating implimentations (generally implied that those implimentations are derived from those standards documents). I would say between that and the sources for at least one implimentation (NAI), you've got a pretty good start with negligible need for any reverse engineering. I've also just looked at the Unix sources for PGP 6.5.8 (you can pick them up from if you like) and it doesn't look like they've been through a comment stripper. Not unless they stripped out the comments and then went back in a recommented them. The sources aren't GREAT on comments (what sources are) but they are there. With this level of information (public documents, commented sources, standards track documents) the need for "reverse engineering" anything is just plain silly. Yes, you still need to understand how and why everything works, but that's not reverse engineering. Reverse engineering is taking the final product and working backwords into sources (physical or software) that you can use to understand how it worked. Reverse engineering is NOT reading public sources to understand how something works. Reverse engineering is not referencing public standards documents (even draft documents). The fact that the gpg authors are still trying to figure out why pgp manages to import certain managled keys while gpg fails on them and the fact that the classes of "flaws and bugs" (pgp ADK fiasco, gpg 1.0.3 signature failure flaw) don't overlap between them certainly indicates that gpg was not derived from pgp.
> --
> Florian Weimer Florian.Weimer@RUS.Uni-Stuttgart.DE
> University of Stuttgart
> RUS-CERT +49-711-685-5973/fax +49-711-685-5898
Mike -- Michael H. Warfield | (770) 985-6132 | (The Mad Wizard) | (678) 463-0932 | NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! -- Archive is at - Unsubscribe by sending mail with a subject of "unsubscribe" to