Re: Clarifications on PGP5 'vulnerabilities'

To: debian-devel@lists.debian.org
Subject: Re: Clarifications on PGP5 'vulnerabilities'
From: Manoj Srivastava <srivasta@datasync.com>
Date: 15 Feb 1998 03:53:24 -0600
Message-id: <[🔎] 87ra55qjmz.fsf@tiamat.datasync.com>
In-reply-to: Juergen Menden's message of "15 Feb 1998 08:31:00 +0100"
References: <19980209225715.59306@kuolema> <[🔎] 19980211114055.43497@taranis.iks-jena.de> <[🔎] 19980211135823.26130@hq> <[🔎] 6c65jk$f2l$1@morgana.camelot.de>

Hi,
>>"Juergen" == Juergen Menden <menden@morgana.camelot.de> writes:

Juergen> Tommi Virtanen
Juergen> <tv-nospam-this-address-is-ok-just-reply@hq.yok.utu.fi>
Juergen> wrote:
>>  The political side of this issue must not be forgotten, but
>> nothing in what you wrote means that PGP 5.x is anymore "dangerous"
>> than PGP 2.6.3i (to me, or to the way Debian uses PGP signatures to
>> authenticate packages).

Juergen> if i understood him correctly then the difference is in the
Juergen> silence that pgp5 keeps, not telling anybody that the second
Juergen> key is also used.

Juergen> could this please someone verify? if it's right then this
Juergen> _is_ a rather desturbing "feature".

	The only way you can be sure about this is to download the
 source code and have a look at what it does. 

	Failing that, if other peoples words make you feel better,
 here are a few:

______________________________________________________________________
The following is a list of Frequently Asked Questions about PGP
5.0i. Comments may be sent to stale@hypnotech.com.

5.2. Isn't PGP 5.0i the version that was weakened for export by the
NSA?

No. PGP 5.0i is just as secure as any other version of PGP. Neither
Phil Zimmermann, MIT, NSA, myself nor anybody else have put any
backdoor into PGP 5.0i, lobotomized the random number generator,
limited the effecive key size or otherwise done anything to compromise
the security of the program. If you don't believe it, download the
source code and see for yourself. The PGP source is free for anyone to
scrutinize, and has been so for many years now. Still, nobody has been
able to find any backdoors. The conclusion is clear: if anyone can
crack PGP 5.0i then he/she can also crack any other PGP version
around. If you read magazines like Internet World, don't believe a
word of what they say. :-/
______________________________________________________________________

	manoj
-- 
 Conceit is to nature what paint is to beauty; it is not only
 needless, but impairs what it would improve.  -- Pope
Manoj Srivastava  <srivasta@acm.org> <http://www.datasync.com/%7Esrivasta/>
Key C7261095 fingerprint = CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E

--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to:

References:
- Clarifications on PGP5 'vulnerabilities'
  - From: Lutz Donnerhacke <lutz@iks-jena.de>
- Re: Clarifications on PGP5 'vulnerabilities'
  - From: Tommi Virtanen <tv-nospam-this-address-is-ok-just-reply@hq.yok.utu.fi>
- Re: Clarifications on PGP5 'vulnerabilities'
  - From: Juergen Menden <menden@morgana.camelot.de>

Prev by Date: Re: Bug#17959: pgp-i: new upstream version
Next by Date: Re: Dpkg-dev problems.
Previous by thread: Re: Clarifications on PGP5 'vulnerabilities'
Next by thread: updated lintian reports
Index(es):
- Date
- Thread