phil zimmerman on GPG

Werner Koch wk@gnupg.org
Mon, 11 Sep 2000 11:06:44 +0200


--ikeVEW9yuYc//A+q
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, 9 Sep 2000, Brenno J.S.A.A.F. de Winter wrote:


> That's funny. Bruce Schneier himself said on Twofish last year on Rootfest
> that he would not use it yet, because it was to new. He had more confiden=
ce
> in Blowfish sofar .... So who should we believe. Werner ... you be the ju=
dge. I talked with Bruce about that and according to him he is sometimes more convinced that Twofish is better and sometimes that Blowfish is still better. Anyway, both are good algorithms and it does not matter which one you use. Yesterday I finished "Secrets & Lies" - it is a really good book, nothing new but you don't see detail by detail but the whole landscape. Really impressive. There is an attack tree for PGP in it (it is also somewhere on counterpane.com) and if you look at it you will be convimced that it does not matter whether you use Blowfish, Twofish, CAST5, 3-DES, IDEA (or vene single DES).
> .... the part of plugable algorithms do not make too much sense to me, but
> maybe I'm just missing the point here. Without denying what Phil Zimmerman
We need them as a workaround for the patented algorithms and they are nice when using gpg for experiments. They add complexity and therefore they increase the risk of security bugs. However it is not a vulnerability - it doesn't matter whether you are able to change a module, gpg itself, libc, libz, libintl, the kernel or the microcode (how would you call that in the Crusoe ship?) of the CPU. I think I have always talked fair about PGP and when some time ago Phil gave me a phone call to ask me to remove some unfair statements from the GnuPG website I promised to check this. I did not found such a thing and he didn't answered my mail to tell me the URL of that statement. I have not yet read that interview but I hope that the things mentioned here are out of context. I am regulary exchanging mails with some of the PGP developers to make sure that our implementaions are interoperable (more or less). I am quite confident that the PGP developers are trustworthy - however there is also the management and the CD production and I do not have any opinion of them ;). =20 Werner =20 =20 --=20 Werner Koch GnuPG key: 621CC013 OpenIT GmbH http://www.OpenIT.de --ikeVEW9yuYc//A+q Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.2 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE5vKCjbH7huGIcwBMRAjtsAKDGgGXFmYGBtcwJsdUTTOCPClJT0wCgnbck x7sOi4gX4WfT4ITTaftVel4= =uHZt -----END PGP SIGNATURE----- --ikeVEW9yuYc//A+q-- -- Archive is at http://lists.gnupg.org - Unsubscribe by sending mail with a subject of "unsubscribe" to gnupg-users-request@gnupg.org