Versions and source code.
DCIFRTHS
lack of source code available. Does anyone have an opinion on this subject?
Also, on NAI's site, there is no Hotfix available for 7.0.3. Any idea why?
Can the Hotfix on PGPI be applied to the NAI retail version?
Thanks for any information you can provide.
not...@nothing.net
>I am interested in purchasing version 7.0.3, but I am concerned about the
>lack of source code available. Does anyone have an opinion on this subject?
A valid concern, but I personally agree with Phil Zimmermann and use 7.0.3.
>Also, on NAI's site, there is no Hotfix available for 7.0.3. Any idea why?
>Can the Hotfix on PGPI be applied to the NAI retail version?
>
>Thanks for any information you can provide.
Take a look at my section on this:
http://www.mccune.cc/PGPpage2.htm#ASCIIArmorParser
Floppy
concerns ( no source ) and on principle ( no source ).
floppy
--
--
<not...@nothing.net> wrote in message
news:tmb1es9...@corp.supernews.com...
not...@nothing.net
>i've read that some people are refusing to use it because of security
>concerns ( no source ) and on principle ( no source ).
You are correct that many people are. And again, these are valid concerns.
This also appears to be a major reason for Phil Zimmermann leaving NAI, but
even he uses 7.0.3, and he gives his personal assurance that it has no
backdoor. In the end, you have to rely on who you trust - as important as the
source code release is, it does not quarantee the absence of a backdoor - I
can think of no one in this who is more trustworthy than PZ. But, of course,
this is just my opinion.
Anonymous
31 Jul 2001 in <tmd5t19...@corp.supernews.com> not...@nothing.net wrote:
> In article <bTl97.6401$sf2.1...@news3.rdc1.on.home.com>, "Floppy" <flo...@canada.com> wrote:
> >i've read that some people are refusing to use it because of security
> >concerns ( no source ) and on principle ( no source ).
>
> You are correct that many people are. And again, these are valid concerns.
> This also appears to be a major reason for Phil Zimmermann leaving NAI, but
> even he uses 7.0.3,
Dare to confirm ?
PRZ is not using PGP v7.0.3, except for some not important PR times.
How do you know, that PRZ PGP v7.0.3 is the same that is available for download ?
How do you know, that PRZ PGP v7.0.3 is not compiled by him from other source code ?
How do you know, that NAI signed executables are the same that PRZ had access to at
source code level ?
PRZ didn't Sig the PGP v7.0.3, than why do you must trust what he did say ?
Shouldn't PRZ put his hand where his mouth is ?
I think, he should, when he is so sure about his opinions. But he didn't,
and that counts, at least for PGP v7.0.3
> and he gives his personal assurance that it has no
> backdoor.
Back door is one think, secure application is another think.
Back door presents or not, is only one part of bigger security issue.
> In the end, you have to rely on who you trust - as important as the
> source code release is, it does not quarantee the absence of a backdoor
Source code release will warrantee that back door may be find.
> - I can think of no one in this who is more trustworthy than PZ.
PRZ didn't program PGP v7.0.3
PRZ didn't test PGP v7.0.3
PRZ did philosophically oversees PGP, like appointed governor will do,
but he didn't physically sink in all that details, about 10 MB of code !!!
-----BEGIN PGP SIGNATURE-----
Version: N/A
iQCVAwUBO2X1AZFYe16N0YSBAQE5bQQAiUE8YGJooYWWzMEWsQRsx0vULr7twYXx
HUVsNZjHmsXZ+QOE+2fAHLrXqP6G2OJYyjWo3fUMl675xf7OGkYk4YSX7mOqaArT
xLqtf6CQii0DzGAYwJQ8lM3tHDVQdjEE4zoVRo7kXFDzdI+NwXrHPscWGaZ7/JpC
LuI0UXxgbmA=
=Ya69
-----END PGP SIGNATURE-----
Johan Wevers
> There is no quarantee that the source code release is the same source
> code of the downloadable software.
No, but then anyone can compile the code himsels and check the differences
between the executables. And this happens: Imad apparently compiled GnuPG
for win32 and found differences, that according to Werner Koch were due
to different libraries. Personally, I believe Werner on this point, but it
*IS* important that this can be checked.
--
ir. J.C.A. Wevers // Physics and science fiction site:
joh...@iae.nl // http://www.xs4all.nl/~johanw/index.html
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html
disa...@saiknes.lv.no.spam.net
Hash: RIPEMD160
Johan Wevers wrote:
> Tom McCune wrote:
> > There is no quarantee that the source code release is the same source
> > code of the downloadable software.
>
> No, but then anyone can compile the code himsels and check the differences
> between the executables. And this happens: Imad apparently compiled GnuPG
> for win32 and found differences, that according to Werner Koch were due
> to different libraries. Personally, I believe Werner on this point, but it
> *IS* important that this can be checked.
I compared Keith Ray's binary from www.nullify.org ( gnupg-w32-1.0.6-nullify.zip )
with Werver's binary and the only difference was timestamps in gpg.exe file.
== <EOF> ==
Disastry http://i.am/disastry/
http://disastry.dhs.org/pgp <----PGP plugins for Netscape and MDaemon
^--GPG for Win32 (supports loadable modules and IDEA)
^---PGP 2.6.3ia-multi04 (supports IDEA, CAST5, BLOWFISH, TWOFISH,
AES, 3DES ciphers and MD5, SHA1, RIPEMD160 hashes)
-----BEGIN PGP SIGNATURE-----
Version: Netscape PGP half-Plugin 0.15 by Disastry / PGPsdk v1.7.1
iQA/AwUBO2pHnzBaTVEuJQxkEQPvDQCeKlpw1jCO3qmhx5dMwXyPIhzFFYQAn1AN
/xK5gfMwoLlRLLk7HPPgvD1C
=ObaR
-----END PGP SIGNATURE-----
Imad R. Faiad
Hello,
My concern was that while I was dumping secret key packets,
I am seeing some very funny looking comment packets as
listed below. This is with the stock GPG 1.0.6.
No sure yet where these came from, or what they are.
If any one can replicate this please message me.
Will post a follow up, as soon as I have some more
information.
Best regards
Imad R. Faiad
gpg --list-packets csec.asc
:secret key packet:
version 4, algo 17, created 996839379, expires 0
skey[0]: [1024 bits]
skey[1]: [160 bits]
skey[2]: [1024 bits]
skey[3]: [1024 bits]
iter+salt S2K, algo: 3, hash: 2, salt: a9dc76807190bec0
protect count: 96
protect IV: 4b 72 33 6e c1 d3 1b 3e
encrypted stuff follows
:comment packet: "#:DSA_factor:\x00\x00\xafIy\xc4\xb4\x89\x10J\x0bW\xbe\x84\xbbF\x16B\x88\xa8\x13\xb3t\x7f\x19"
:comment packet: "#:DSA_factor:\x00\x00\xafpy\xc2\xd7\xa79%\x04\xef\x09\xba\xae\x83\xa0\xf8\xbd\xec\xf4.t\xc1\xc1"
:comment packet: "#:DSA_factor:\x00\x00\xafJ\xddbmM\xc4@OpX\x84"\xd3\xdb\x04\xca\x17\x91J\xe7`\xd1"
:user ID packet: "ctest2"
:signature packet: algo 17, keyid DA1F9F314EB31D16
version 4, created 996839379, md5len 0, sigclass 13
digest algo 2, begin of digest 97 19
hashed subpkt 2 len 5 (sig created 2001-08-03)
hashed subpkt 11 len 5 (pref-sym-algos: 7 10 3 4)
hashed subpkt 21 len 3 (pref-hash-algos: 3 2)
hashed subpkt 22 len 3 (pref-zip-algos: 2 1)
hashed subpkt 23 len 2 (key server preferences)
subpkt 16 len 9 (issuer key ID DA1F9F314EB31D16)
data: [157 bits]
data: [159 bits]
:secret sub key packet:
version 4, algo 16, created 996839400, expires 0
skey[0]: [2048 bits]
skey[1]: [3 bits]
skey[2]: [2048 bits]
iter+salt S2K, algo: 3, hash: 2, salt: a9dc76807190bec0
protect count: 96
protect IV: 39 48 49 9f fa 65 23 ea
encrypted stuff follows
:comment packet: "#:ELG_factor:\x00\x00\xe3\x04Q;\x81\xa2l\xb0\xc3\x16\x9dn5\xe7\xc8L#\xdf\xbcP\xa8\xfac\xd8\xaaeZ\x1f\x1ak"
:comment packet: "#:ELG_factor:\x00\x00\xe3\x06\xa1\xc3\x862]/q\xfbNrwK \x1f\xcb\xbbJ\x1c\x11\xa3l\xcf\xc9k\x7f\x09\x10I"
:comment packet: "#:ELG_factor:\x00\x00\xe3\x06\x99\x09\x85\x8d\xc7U\x8e\xdd\xb3P]\xae^\xe6\x18\x89\xae\xab\xf6U\xc2\x0a\xf8\x82\xce\xce\x9a\xa9"
:comment packet: "#:ELG_factor:\x00\x00\xe3\x06v00\x8c\x81\x9f%\xd4\xb4\x91w\xda\xdd\x7e\xa1\xe9c\x11\x15;\xf1i\xec\xaa\xdao\xbe\xc9"
:comment packet: "#:ELG_factor:\x00\x00\xe3\x07\x0edA\x00:\x0d`\x0d\xbc@M7\x96\x03C\x87JB\xad\x80sZY20E\x91\xff"
:comment packet: "#:ELG_factor:\x00\x00\xe3\x06\xca\x98\x86I\x06\x17`\x0eK\xe3\xf6n\xa3\xd7AX\xf2\x94C\xaa\xbd\x0ck\xfa\xc0m\\xdd"
:comment packet: "#:ELG_factor:\x00\x00\xe3\x06H\x92\xff\xb8f\xc2\x0d\xee\x02ORm\x81\xbf\xb0\x8d\xdd\xc9\x0d\x15\x97\xa0\xdey\xa3\xd4F\xf9"
:comment packet: "#:ELG_factor:\x00\x00\xe3\x06.x9\xbc\xf6.q\x84\xa3\x84\xcf\xc89c\xe1\xce\x18\xdcB\xd3Q\x97\xb3\xd4(\x81m\xed"
:signature packet: algo 17, keyid DA1F9F314EB31D16
version 4, created 996839400, md5len 0, sigclass 18
digest algo 2, begin of digest af a1
hashed subpkt 2 len 5 (sig created 2001-08-03)
subpkt 16 len 9 (issuer key ID DA1F9F314EB31D16)
data: [159 bits]
data: [158 bits]
On Fri, 03 Aug 2001 09:10:11 +0200, in comp.security.pgp.discuss Johan Wevers
<joh...@iae.nl> wrote:
>Tom McCune wrote:
>
>> There is no quarantee that the source code release is the same source
>> code of the downloadable software.
>
>No, but then anyone can compile the code himsels and check the differences
>between the executables. And this happens: Imad apparently compiled GnuPG
>for win32 and found differences, that according to Werner Koch were due
>to different libraries. Personally, I believe Werner on this point, but it
>*IS* important that this can be checked.
-----BEGIN PGP SIGNATURE-----
Version: 6.5.8ckt http://www.ipgpp.com/
iQEVAwUBO2p3VLzDFxiDPxutAQHpEAf+JCXJL0QxfivwK3QRQ13S6/vJuoUpK4HS
LZ+6HxLq42xuJFwaJF2LOB4R7NxTJjtq5Tpm2F7u3eJ/NpvqZrlfrFgonElmmMEm
ur3b0vnTiWCUuy6jX8ZUOEhSjxATS5GaiPgALiYvln2/ayI6MZrhNldmAS5oeP21
LWe6wT5ybSpXhPcKLJpfVerb+vTO3afjV59jiChNUvoIb7DfWoKLvm6ppZnLQ7Uw
aL6VKcL5ZqNyNUl6jfO8x7j2ph4FQ4u3M3iNS0p/XXuuNJHByOOIjI2+GTejGtcP
NAWd+IH6H1bn+ahzMt03HcAUxWbdrgAU9nwH9QOR+BDOMGgvpxx9FA==
=WFDQ
-----END PGP SIGNATURE-----
Imad R. Faiad
Hello,
Apparently the factors are being stored in the private
comment packets at keygen time.
I still don't get it, what does he need the factors for?
Anyone care to comment?
GPG for win32 is not easy to build in a windows environment,
one needs a linux box to build as per the binary distribution.
You may do a cygwin build, but you still need to do a lot
of patching before you succeed.
DSA and ElGamal keys are very susceptible to key leakage.
One is in fact at the mercy of the implementor, and an unscrupulous
one may use such packets to leak whatever information he
cares to leak. It is very difficult to detect such leakage,
unless one has looked at the code and compiled it.
A casual user cannot check on the fly whether these packets
are indeed factors or not. Also, a clever unscrupulous implementor,
will find a way to disguise the leak as factors.
I am not alleging anything, but I am sure we can all
live without these factors, the standard does not
warrant their inclusion with the key. So, why have them
there? The less the better, IMHO.
Am I being too paranoid? Is it wrong to view with
suspicions any extra information which is packaged
with the key?
my 2c
Best Regards
Imad R. Faiad
On Fri, 03 Aug 2001 14:05:56 +0200, in comp.security.pgp.discuss Imad R. Faiad
<ma...@cyberia.net.lb> wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>
>Hello,
>
>My concern was that while I was dumping secret key packets,
>I am seeing some very funny looking comment packets as
>listed below. This is with the stock GPG 1.0.6.
>
>No sure yet where these came from, or what they are.
>
>If any one can replicate this please message me.
>
>Will post a follow up, as soon as I have some more
>information.
>
>Best regards
>
>Imad R. Faiad
>
-----BEGIN PGP SIGNATURE-----
Version: 6.5.8ckt http://www.ipgpp.com/
iQEVAwUBO2qJa7zDFxiDPxutAQGGFQf/TCt0G95IiO29c9xPIpsvAT/mUp8ulE4g
9BACI1UwW5RAnip3OGWOa4qi80lhhfhjmtVl65i/U3yPUFtjcP/EpnqbtxTElWeC
rOc0/iP6CipjeJ0V3QWBfB/ySvsy9vd1jShT3/TD2qKgWioMVXS8viwY/vQ6B9Ec
LgWFjkBYbqE+1oUWZ6navj94Vg+IuLRvOAO13Ufn0vsu6q+4f+DsCRn2ukPmG52D
9+cF5a/I86BbKb7/37EXa1TN4ypOGifMqGFKF9pyaMyPDy02ob7GRZKTWWEoqNZV
FYdE2YJWMzf+PP5oJnuJIT/ZHuc4vjMQFymLWz5uMDCPhL59s31jjA==
=ywGj
-----END PGP SIGNATURE-----
disa...@saiknes.lv.no.spam.net
Hash: RIPEMD160
"Imad R. Faiad" wrote:
> Apparently the factors are being stored in the private
> comment packets at keygen time.
>
> I still don't get it, what does he need the factors for?
> Anyone care to comment?
I think Werned does not know it either..
at lest it seems so from the comment in file g10/keygen.c :
/* don't know whether it makes sense to have the factors, so for now
* we store them in the secret keyring (but they are not secret) */
> ......
> You may do a cygwin build, but you still need to do a lot
> of patching before you succeed.
not that much... I did it for 1.0.4,
and the most of changes was to enable dynamic
loading (which is now in 1.0.6 by default)
> I am not alleging anything, but I am sure we can all
> live without these factors, the standard does not
> warrant their inclusion with the key. So, why have them
> there? The less the better, IMHO.
I agree: they are not used - so they are not needed.
objections, someone ?
== <EOF> ==
Disastry
http://i.am/disastry/
-----BEGIN PGP SIGNATURE-----
Version: Netscape PGP half-Plugin 0.15 by Disastry / PGPsdk v1.7.1
iQA/AwUBO2qYjDBaTVEuJQxkEQPYAACgphDP7w4MyrnT9zZd0FwQclukbJoAoM3K
pZbrnW5CUlIbfadXoLHkuihV
=euxG
-----END PGP SIGNATURE-----
Dan Stratila
Hash: SHA1
Hi.
Tom McCune wrote in message ...
>In article <518596978ff48ba8...@hyperreal.pl>, Anonymous
><nob...@hyperreal.pl> wrote:
>>PRZ is not using PGP v7.0.3, except for some not important PR times.
>>How do you know, that PRZ PGP v7.0.3 is the same that is available for
>>download?
>>How do you know, that PRZ PGP v7.0.3 is not compiled by him from other
>>source code ?
>>How do you know, that NAI signed executables are the same that PRZ had
>>access to at source code level ?
Let's face it, how do we know that PRZ isn't using a modified Linux version
of PGP?:)
Dan.
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.1 Int. for non-commercial use
<http://www.pgpinternational.com>
iQA+AwUBO2uId/PX0JuWXguFEQKpjwCY8za731zg/xELpVPvwjxw9AIXtwCg1Yoj
xR9ZsAliNyaeaIA1axXAaTQ=
=hJAV
-----END PGP SIGNATURE-----
Imad R. Faiad
<dan...@moldnet.md> wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Hi.
>
>Tom McCune wrote in message ...
>
>>In article <518596978ff48ba8...@hyperreal.pl>, Anonymous
>><nob...@hyperreal.pl> wrote:
>
>>>PRZ is not using PGP v7.0.3, except for some not important PR times.
>>>How do you know, that PRZ PGP v7.0.3 is the same that is available for
>>>download?
>
>>>How do you know, that PRZ PGP v7.0.3 is not compiled by him from other
>>>source code ?
>>>How do you know, that NAI signed executables are the same that PRZ had
>>>access to at source code level ?
>
>
>Let's face it, how do we know that PRZ isn't using a modified Linux version
>of PGP?:)
>
>Dan.
PRZ, is a Mac OS user.
Dan Stratila
Hash: SHA1
Hi.
Imad R. Faiad wrote in message ...
>PRZ, is a Mac OS user.
PRZ, he can always telnet.
Dan.
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.1 Int. for non-commercial use
<http://www.pgpinternational.com>
iQA/AwUBO20hiPPX0JuWXguFEQJ6AgCfYSDSC/+134ErKJfPp82IqPP99kcAoIgY
Wdp0LXspFvPYnTADJe8LCJDy
=FALn
-----END PGP SIGNATURE-----
skeptic
Subject: Re: Versions and source code.
Newsgroups: comp.security.pgp.discuss
Date: Fri, 03 Aug 2001 15:26:51 +0200
From: Imad R. Faiad <ma...@cyberia.net.lb>
*** PGP Signature Status: bad
*** Signer: Imad R. Faiad <ma...@cyberia.net.lb>
*** Signed: 01/08/03 7:22:19 AM
*** Verified: 01/08/11 10:35:38 AM
*** BEGIN PGP VERIFIED MESSAGE ***
Hello,
Apparently the factors are being stored in the private
comment packets at keygen time.
I still don't get it, what does he need the factors for?
Anyone care to comment?
GPG for win32 is not easy to build in a windows environment,
one needs a linux box to build as per the binary distribution.
You may do a cygwin build, but you still need to do a lot
of patching before you succeed.
..
~~~
This PGP signature only certifies the sender and date of the message.
It implies no approval from the administrators of nym.alias.net.
Date: Sat Aug 11 17:00:07 2001 GMT
From: ske...@nym.alias.net
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQEVAwUBO3Vkm05NDhYLYPHNAQH8JQf/UiHwk6ku+CioUd+29pcuePhIIKypahEJ
MmKSlLgXjX3JOT/TYa7hbrOEAuyxbpYfsYqkHG0KyDs3tYrtjgStQbW0jHAi5/p1
rmTxZLrd7kpaKDPdnasPFvEtpSctberf0q3Ff8p34WknbvFCxZ/B1jEqwQRN6aw7
VhLc+DxtMhkXaGHCeFg/DFZdIR15nCV0jbH7JmW8aS/EE8gnHwegeMZ/aC2sOTm6
7W9AuzHCi74la+8M6OC8YXNIBixDi6DTC4lb4lUeKs+dxn9EmCo1jJHPjrOo+d/S
E4srC6/aie+GP20JRc6cCcA1btlNz3qNNlBhzB3EbPynzo9q+gB6KQ==
=5Afq
-----END PGP SIGNATURE-----
Rich Wales
Imad R. Faiad wrote:
> Apparently the factors are being stored in the private
> comment packets at keygen time. I still don't get it,
> what does he need the factors for? Anyone care to comment?
Might the factors allow speedier signing -- much as the original PGP
stored additional data in RSA secret keys in order to take advantage
of the Chinese Remainder Theorem?
Rich Wales ri...@webcom.com http://www.webcom.com/richw/pgp/
RSA, 2048 bits, ID 0xFDF8FC65, print 2A67F410 0C740867 3EF13F41 528512FA
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3n
Charset: noconv
Comment: Rich Wales's public keys at http://www.webcom.com/richw/pgp/
iQEVAwUBO3YFQ0m4X0z9+PxlAQH50Qf/ZEBBmpHFdT+CaS2fBiSQpHJqfO6h9YZo
ND8vsa9XM6AEjPjw94+OQnumpkPowIeT0bnzXTAbleCQUYJGf8jgBecLdhJCOqWn
5oknABlpSI6pFQFwslPH2d/1ShZmX/kTvvzkIGDVZACjqQWp4WzcBfdDJJsIbqdT
rqecU2VMUCDJwkksWiYcmsiiJuYT300Vx3N1qU9iLAz1KDikDx/VnFtYHQoG7tiQ
1hk3OvIdxNZuVkrXGsK6I5kHyD0IlXZFl/0U9K5hUgz4ILDvNWoPu6Uji1IeVu+L
cx2gBTLmi2DNQLG4s0Rq3+ijoKNHvL4oXtBEUAeTaPVEV6Xfhd+prg==
=Gnov
-----END PGP SIGNATURE-----