why cissp says this about PGP/GnuPG?

Robert J. Hansen rjh at sixdemonbag.org
Thu Aug 24 16:50:46 CEST 2006

Philipp Gühring wrote:
> Are there any facts or reasons against CISSP? Are there any
> alternatives?

Many.  Google for "CISSP criticisms" and you'll find a lot of reasons to
suspect the CISSP, along with some well-regarded alternatives to it.

CISSP nominally requires four years of industry experience in computer
security before they'll grant a cert, but in reality their definition of
"industry experience" is very broad and permissive.  I'd much rather
judge someone on the basis of the industry experience they used to get
their CISSP than I would on the basis of the CISSP itself.

> My personal opinion is that PGP was designed to protect normal
> confidential data, not to protect spy information.

This is not true.  The OpenPGP standard was designed to stand up to
absolutely brutal cryptanalytic attacks.  When it comes to email
cryptography standards, OpenPGP really is the gold standard.

> Spy communication has more demand for steganography (making sure that
> you don´t even notice the transmission and not just that you can´t
> read it), and less demand for "public" key systems ;-)

I don't mean to sound sarcastic or caustic, but I really wish people who
advocate steganography would first read the academic literature on it.
I'm fond of Moulin and O'Sullivan's "An Information-Theoretic Analysis
of Data Hiding".

Steganography does not have a strong theoretical foundation.  As such, I
think it's dangerous to think steganographic implementations are ready
for prime time.

More information about the Gnupg-users mailing list