phil zimmerman on GPG

L. Sassaman
Mon, 11 Sep 2000 18:58:03 -0700 (PDT)

Hash: SHA1

Phil Zimmermann [note the spelling] and I have chatted multiple times
about GnuPG. It's would obviously be awkward for either of us to come out
and say "yeah, we like GnuPG more than PGP." So whatever you hear as
public statements are most likely going to be some sort of NAI
propaganda at some level. Accept this, and pardon us.

Regarding Blowfish, there really was no need to add another 128 bit
cipher. Phil wasn't impressed with Schneier's original Blowfish
paper. Being conservative in that regard is a good thing.

Regarding ElGamal signing keys, there are definately known vulnerabilities
that are easy to allow in incorrect implementations, and there could be
more. Werner recognises this, and has depreciated these keys.

I personally see nothing wrong with the loadable module support, provided
that the box is secure and no one discovers a way to trick GnuPG into
loading untrusted modules. Perhaps some sort of compiled-in checksuming
would be in order?

- --Len.


L. Sassaman

Security Architect             |  "Lose your dreams and you
Technology Consultant          |   will lose your mind."
                               |        |       --The Rolling Stones

Comment: OpenPGP Encrypted Email Preferred.


Archive is at - Unsubscribe by sending mail
with a subject of  "unsubscribe"  to