Encryption on Mailing lists sensless?

Nan nan at goodcrypto.com
Tue Nov 18 18:30:33 CET 2014

  > third party -- your mailserver administrator

The "third party" you don't trust is your own sysadmin. That person already has access to the plain text messages right now. So does everyone tapping your connections. We suggest that you limit that risk to the sysadmin you already trust.

  > telling people that your product will keep their communications secure

Yes, we are. We suggest that GPG crypto is more secure than no crypto, and better when it works for everyone in the group.

Experts can still encrypt their own messages. That approach has had 20 years to work. Most people still don't encrypt mail at all.

Good encryption that is used is much better than encryption only used by an elite.

  > Made false claims that DSA is compromised

I said "was certainly compromised in the past". As you know, one source for DSA flaws is the current ssh-keygen man page:

    "DSA keys must be exactly 1024 bits as specified by FIPS 186-2."

You apparently feel there is some explanation for "exactly 1024 bits" other than the obvious one, that keys of that length are compromised. NIST changed this spec later, but always kept DSA.

If you want another source, NSA themselves consider DSA, specifically ECDSA, to be only Grade B security. With their usual misdirection, NSA calls it "Suite B". Red Hat explicitly says the NSA's Suite B is only good enough for "most" classified information. See https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/6.5_Release_Notes/bh-chap-security.html

  > Made false claims that NIST . . .

NIST has often changed specs as each compromise is discovered. Examples are DES, DSA, and Elliptic Curve. A very recent discussion is from "Keeping Secrets -- STANFORD magazine" (https://medium.com/stanford-select/keeping-secrets-84a7697bf89f):

  "The agency has a second tactic to prevent the spread of cryptographic techniques: keeping high-grade cryptography out of the national standards. To make it easier for different commercial computer systems to interoperate, the National Bureau of Standards (now called NIST) coordinates a semipublic process to design standard cryptographic algorithms. ... The NSA's influence over the standards process has been particularly effective at mitigating what it perceived as the risks of nongovernmental cryptography. By keeping certain cryptosystems out of the NBS/NIST standards, the NSA facilitated its mission of eavesdropping on communications traffic."

I suggest you are more careful about your accuracy before you make accusations of false claims, or use the nasty slur "snake oil".

GoodCrypto warning: Anyone could have read this message. Use encryption, it works.

More information about the Gnupg-users mailing list