CKT PGP versions are to be avoided...
John Driscoll
In seeking the wonderful benefits of CKT versions of PGP, I found this
foreword from Mr. Zimmermann. Read and be educated, as the man speaks...
-----BEGIN PGP SIGNATURE-----
Version: 6.0.2ckt http://members.tripod.com/IRFaiad/
Comment: KeyID: 0x833F1BAD
Comment: Fingerprint: 75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45
iQEVAwUBNvJuTbzDFxiDPxutAQFGmAf6Au2k5+AOYGzCs6atqTn33H72dEtuwkFV
d/6nrANSSIPYQHDw1Z4XPhFg+aJwZJTucxpioZaePxWqEXG+wu/Vc+uwS+NCEOxp
+m5NYXmYnU7HKQLTKqLXFYh7mJXczB4UZ9BnF1vR7Ksv1gukwB89SSbyNj1v/dSj
V7zyRBTZXAm6uYKhWGOJ1eL2/BbChpKjoCCludDxn8Rhj0BTdJ/1yhoY3psQ/ixz
qBx7AWpMY2DWzz+LImaiqKzRmBVORsGjH9+MiNsgS5rJ2XcJPSw+JdoK8BRZ5HXS
8wHC3rT6QT4WhPB4Qd4kXWFlZv//qSW2ci3t17qayTSjk2IYfagfDg==
=PKsY
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
There is no advantage for using the keys larger than about 3000 bits.
The 128-bit session keys have the same work factor to break as a 3000
bit RSA or DH key. Therefore, the larger keys contribute nothing to
security, and, in my opinion, spread superstition and ignorance about
cryptography. They also slow everything down and burden the key servers
and everyone's keyrings, as well as cause interoperability problems
with present and future releases of PGP. Perhaps even more importantly,
they also undermine other people's faith in their own keys that are of
appropriate size. While it may have been well-intentioned, this massive
expansion of key size is a disservice to the PGP community.
Also, larger DSA keys don't contribute anything unless the hash grows
bigger with it. That requires selecting a good well-designed bigger hash
that has been specifically designed to have the full work factor for
breaking it. Using two SHA1 hashes in that manner has not been adequately
shown to achieve this result.
Anyone with a sophisticated understanding of cryptography would not make
the keys bigger this way.
Experimental code that we put into PGP during its development should not be
used. It was protected with conditional compilation flags and should never
have been revealed to uninformed users who decide to perform a "public
service" by enabling the code and releasing it. This is part of the reason
why we ask people not to release code changes on their own, but to send them
to us, so that we may incorporate some of them (if they seem like good
ideas)
into our next product release. That is how PGP enhancements from the user
community have always been managed since PGP source code was released in
1991.
-Philip Zimmermann
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0b16
iQA/AwUBNcIZ0GPLaR3669X8EQIblACePP3jorZ6Y+wjYDRomxMfKgLF2h4AoNmI
tjDuzHfhdIqDd6s5BUNIlhBu
=3BJC
-----END PGP SIGNATURE-----
-----------------------------------------------------
I use PGP to send secure emails.
Get my public key at
www.driscoll5.freeserve.co.uk/jdd.asc
-----------------------------------------------------
Gary Woods
"John Driscoll" <in...@spamdriscoll5.freeserve.co.uk> wrote:
>In seeking the wonderful benefits of CKT versions of PGP, I found
>this foreword from Mr. Zimmermann. Read and be educated,
Your logic is flawed: Just because the CKT version allows features
not recommended by PRZ (and in fact includes his statement to that
effect), does not mean you shouldn't use it. Users wanted a feature
that probably isn't useful, and it was included. It's still a great
package, with several added features, including a working PGPdisk
with the newest release.
- - --
Gary Woods O- K2AHC Public keys at www.albany.net/~gwoods, or get
0x1D64A93D via keyserver
gwo...@albany.net gwo...@wrgb.com
fingerprint = E2 6F 50 93 7B C7 F3 CA 1F 8B 3C C0 B0 28 68 0B
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i for non-commercial use <http://www.pgpi.com/>
iQEVAwUBOIi4LKnn3kj9en8NAQEyYAf/T0P4DXAZ4f4o6aPtZeBm4BHcBTWR4nnz
79slTjQgf7K5wHaHoEnQFO1rY9kRaNuFyULuxlB2OB1gQAF70JcZLQrLpFDXF2n4
L0Yf7weizrn0VmKcYOq2aya24uY1VFjhFh5bZjzB8znexSJ1UdphxsBaWlYhp18D
7HvmS+Bc+/4snhz4rCiZcB82cInu7fQJjIykVraIpZSiA6RMtlhQebopUPIQvh7M
MwfhzVLr5r4gwMZcraX4x9tf4BUq6VpnigOqGiF4LHP9+5JhSbJL0jpqmQOiwkCA
jp11ry0g5RpcUO10uK0T5RPr0ez82137Tca2Kx2OBXcoILE1kp8CMw==
=ae5P
-----END PGP SIGNATURE-----
--
Gary Woods O- K2AHC Public keys at www.albany.net/~gwoods, or get 0x1D64A93D via keyserver
gwo...@albany.net gwo...@wrgb.com
fingerprint = E2 6F 50 93 7B C7 F3 CA 1F 8B 3C C0 B0 28 68 0B
John Driscoll
PGP users want PGP to work immediately. They go to lengths to publish their
keys online, on key servers etc, so they are part of the PGP community. They
do not want software telling them there is an 'error', or people telling
them they are just 'not compatible'.
The CKT versions of PGP allow the creation of useless, hulking, slow keys
which are not compatible with everyone else. This wastes your time. But it
gets better. When uploaded to key servers, they slow them down, so we all
suffer.
And this is so you can get shut out from the rest of us at the gain of no
extra security.
I am not saying you are obliged to create huge keys with the CKT software. I
am just saying that since the large keys are their only real advantage (PGP
disk hacks to make PGP disk work with the latest release are everywhere) it
is better not to use it, as you may forget that your software takes you out
of the PGP community limits, and create a huge *dinosaur* key one day.
For the purposes of freedom and whatever, of course people can use CKT
versions, but really you have nothing to gain, and risk degrading other
people's PGP experience.
John D
Gary Woods <gwo...@albany.net> wrote in message
news:u0eh8sk0av4js73ac...@4ax.com...
Abc
John Driscoll wrote:
> Guys,
>
> In seeking the wonderful benefits of CKT versions of PGP, I found this
> -----BEGIN PGP SIGNATURE-----
Hiram Yaeger
>PGP users want PGP to work immediately. They go to lengths to publish their
>keys online, on key servers etc, so they are part of the PGP community. They
>do not want software telling them there is an 'error', or people telling
>them they are just 'not compatible'.
>
And 99% of users use non-CKT versions first, and the remaining 1% will have had
a firsthand learning experience.
>The CKT versions of PGP allow the creation of useless, hulking, slow keys
>which are not compatible with everyone else. This wastes your time. But it
>gets better. When uploaded to key servers, they slow them down, so we all
>suffer.
>
It doesn't waste my time, and anyone who uses CKT builds with large keys finds
them to be neither useless, nor hulking, nor slow. It does not waste my time,
nor does it waste the time of other CKT users I know. And as for slowing down
the key servers, I somehow doubt that the detrimental effect of even a 16,384
bit RSA key would be noticeable by anyone, including you or the key server
administrator.
>And this is so you can get shut out from the rest of us at the gain of no
>extra security.
>
You act as though CKT builds are incapable of generating keys that are of
normal size or that those that are are inoperable with generic builds of PGP.
This is simply not true. And on top of this, PGP CKT builds come with a
freeware version of PGPdisk and include functionality enhancements and bug
fixes.
>I am not saying you are obliged to create huge keys with the CKT software. I
>am just saying that since the large keys are their only real advantage (PGP
>disk hacks to make PGP disk work with the latest release are everywhere) it
>is better not to use it, as you may forget that your software takes you out
>of the PGP community limits, and create a huge *dinosaur* key one day.
>
Large keys are not the only real advantage. Try actually reading the readme
files for all the CKT builds of PGP, before you yammer.
And anyone that accidentally (that's a laugh) creates a large key will notice
very, very rapidly, and be able to revoke or delete the key (with the 6.x
versions).
As for PGPdisk hacks, the only one I've ever seen was written by IR Faiad ...
the creator and distributor of PGP CKT.
>For the purposes of freedom and whatever, of course people can use CKT
>versions, but really you have nothing to gain, and risk degrading other
>people's PGP experience.
>
"of freedom and whatever" -- I'm certainly glad to have your permission to
exercise my right freedom and whatever. I disagree that there is nothing to
gain -- I feel that I gain a great deal. I also feel that anyone knowledgable
enough to find the CKT versions and read about them before using them will
understand the consequences and understand that into which they are getting.
As for degrading others' experience? How, because the person downloaded a key
which they should have known wouldn't work (and would very rapidly understand
does not work and why)? Because the key server would be slowed down to such a
crawl? Honestly, do you believe the major key servers are running on '386s
with 16 MHz and 2 MB of RAM?
In the future, I'd appreciate it if you'd say you feel CKT versions should be
avoided, rather than telling people flat out not to use them without even
bothering to research (hell, the CKT version you used was old by one or two
builds).
>John D
John Driscoll
I could fully install the CKT version I picked up.
By the way, how did you know the CKT version I used? I don't recall
mentioning it.
My findings with the CKT version were that the bug in release 6.02i of PGP
which stops you being able to run pgp disk from the pgp tray was fixed.
Other than that, the ability to create RSA keys was added. Oh, and you could
create massive, useless keys if you wanted.
I admit I am not sure if uploading massive uncompatible keys such as those
the CKT versions create would slow keyservers. However, Phil Zimmermann said
it would, and I took his word for it. I am not so sure it has to do with
computer speeds, exactly. You should ask him.
So there are two reasons to go get a CKT version of pgp.
1) Minor bug fixes and RSA creation ability.
2) Really big, useless keys.
The problem with the obvious advantage of RSA creation ability is that you
can get it from old version 2x - versions. And if you choose the CKT route
instead, you must have your entire main PGP program not be a verified
original, but one that 'some people' HAVE modified. So how can you be sure
you like all the modifications, wether you know about them or not.
The guy who made the version I use, IR Faiad, seems safe enough. But I want
my versions to be from Network Security and/or Phil Zimmermannn pretty much
directly. No alterations. No backdoors. You see, it is a bad idea generally
to allow more than one strong source to be creating the software which will
carry your trust. Especially when, like me, you know so little about them.
It seems dubious to me that people want the world's strongest security
standard, but don't care who opens it up at the seams and alters the code.
Why not use the old 'code wheel' for encryption (A=1, B=2, C=3).
-----------------------------------------------------
I use PGP to send secure emails.
Get my public key at
www.driscoll5.freeserve.co.uk/dhdss.asc
-----------------------------------------------------
Hiram Yaeger <hram...@aol.come.on> wrote in message
news:20000122211257...@ng-ch1.aol.com...
Archer
it.
-----BEGIN PGP SIGNATURE-----
Version: 6.0.2ckt http://members.tripod.com/IRFaiad/
That is how he knew.
John Driscoll
I had thought I might have done something like that... Very observant...
JDD
-----------------------------------------------------
I use PGP to send secure emails.
Get my public key at
www.driscoll5.freeserve.co.uk/dhdss.asc
-----------------------------------------------------
Archer <arc...@sometimescharter.net> wrote in message
news:s8np03f...@corp.supernews.com...
Dave Howe
-0000]), "John Driscoll" <in...@spamdriscoll5.freeserve.co.uk> said :
>My point was that the version ought not to be avoided. Why? Because 99% of
>PGP users want PGP to work immediately. They go to lengths to publish their
>keys online, on key servers etc, so they are part of the PGP community. They
>do not want software telling them there is an 'error', or people telling
>them they are just 'not compatible'.
1) You can get "sanitized" versions of ckt builds - with all the extra
features and bugfixes, but without the large key generation support.
Assuming you can't be trusted outside your sandbox, of course..
2) The key generation screen warns you that keys over a certain size
are likely to be unreadable in classic versions of pgp - but to be
honest, if you really wanted to keep 100% compatability, you would
need to limit yourself to 2047-bit RSA keys with IDEA, so the older
dos versions could still read it. I don't regard that sort of a limit
as reasonable (although I expect 4096 to be ample for my lifetime)
>
>The CKT versions of PGP allow the creation of useless, hulking, slow keys
>which are not compatible with everyone else. This wastes your time. But it
>gets better. When uploaded to key servers, they slow them down, so we all
>suffer.
"approved" 4096 keys? particularly as the 4x4k keys also take up four
index entries? I suggest you think about the concepts of fingerprints
and key IDs, and then think about how a typical database engine works.
then get back to us.
>And this is so you can get shut out from the rest of us at the gain of no
>extra security.
It's a matter of opinion. An incremental advance in cryptography could
make RSA keys of 4096 vunerable, but leave 16K intact. I can't imagine
ANYONE still using the "low-risk" 128bit RSA keys that the early PGPs
would generate, as they are trivially crackable. As a rough guide,
your Asymmetric key should be at least twice as hard to crack as the
sum of the difficulties of all the individual symmetric keys they
protect - as that gains them all your current and future traffic,
whereas cracking 'n' symmetric keys gains them 'n' messages, with no
real advantage when the next message of interest to them arrives.
>I am not saying you are obliged to create huge keys with the CKT software. I
>am just saying that since the large keys are their only real advantage (PGP
>disk hacks to make PGP disk work with the latest release are everywhere) it
>is better not to use it, as you may forget that your software takes you out
>of the PGP community limits, and create a huge *dinosaur* key one day.
CKT builds tend to have a few extra "gui" options too - like changing
the text of the signature remark line, extra display and sort options
in the key management list box, and so forth. The writers are also
always willing to consider new feature requests and/or bugfixes, while
NAI are not so co-operative.
>For the purposes of freedom and whatever, of course people can use CKT
>versions, but really you have nothing to gain, and risk degrading other
>people's PGP experience.
I can't see this being a problem - if someone "Accidentally" generates
a huge key (and how do you do that? you generate keys very rarely
anyhow, and it suddenly taking a full day to find a key rather than
half an hour does tend to be noticable) then get them to generate a
new one; delete their old, unacceptable key off your ring, and use the
new one exclusively. I can't see a problem here.
John Driscoll
The main advantages you outline below are minimal ones, such as slight GUI
advances.
You appear to think a larger key size means greater security. IT DOES NOT.
Sent out with the CKT version I downloaded was a letter from Phil Zimmermann
going into detail about why the larger keys made by CKT versions do not
affect the security level. He makes this point quite clear. Something about
there are other parts of the key you also have to alter in order to get
greater security levels. I have already published his letter once... check
the old messages.
As for CKT in general, my key point stands... CKT is PGP which you KNOW has
been altered by persons whom you do not know. The world says Phil Zimmermann
is commited to security and nothing else, but they do not say that about
each and every CKT version builder. Therefore, unless you know and trust the
CKT version creator, you cannot reasonably say your security standards are
at all trustworthy, because you simply wouldn't know if your *new* version
had a *new* trapdoor. People source check PGP, but have you actually checked
the CKT coding of your version yourself? Because only the creator seems
ready to back up it is secure. If your whole security is based on the sayso
of a person you don't know and have never met, might I introduce you to the
code wheel (A=1, B=2, C=3).
The code wheel could be the security level you are at.
It certainly bears thinking about.
Dave Howe <DHowe@hawkswing> wrote in message
news:PiyLOOUu9mgCWan=bBMgNMGu=r...@4ax.com...
Dave Howe
>advances.
5.5.3ckt and the official release, there are some important bugfixes
(for example, the wipe utility as shipped had a bug and didn't work
properly) but of course the 6.x releases also fixed those, and the
difference between 6.x and 6.x(ckt) is less.
>You appear to think a larger key size means greater security. IT DOES NOT.
>Sent out with the CKT version I downloaded was a letter from Phil Zimmermann
>going into detail about why the larger keys made by CKT versions do not
>affect the security level.
yes, and the ckt team make a point of including it. So? much as I
respect PZ, he was looking in the wrong place. saying not to make a
master key stronger than a session key is just *wrong* - each master
key protects MANY session keys - how many session keys must they break
to have access to all your mail?? now, how many master keys do they
need to give the same effect? if you have 'n' messages you wish to
protect, then your master key must be HARDER to break than 'n' session
keys - and 'n' increases over time.
>He makes this point quite clear. Something about
>there are other parts of the key you also have to alter in order to get
>greater security levels. I have already published his letter once... check
>the old messages.
no, that was in relation to digital signatures. As a digisig is an
encryption of a hash of the message, the hash function must be harder
to attack than the encryption, or the signature is only as secure as
the hash function. This is not news, and doesn't effect the value of
the key for encryption, just it's value for signatures involving that
hash. I'd hate to have to upgrade my key if they upgrade the hash.
>
>As for CKT in general, my key point stands... CKT is PGP which you KNOW has
>been altered by persons whom you do not know. The world says Phil Zimmermann
>is commited to security and nothing else, but they do not say that about
>each and every CKT version builder.
PZ no longer writes PGP. The existance of the ckt builds INCREASES my
trust of the package as a whole. Imad has had to look at the code in
order to patch it - so that is one person more who has a history of
trustworthyness (if not quite as trusted as PZ - sorry Imad :+) who
has inspected the code - and a simple diff from the "official" pgpi
source will let you identify all the changes he has made.
>Therefore, unless you know and trust the
>CKT version creator, you cannot reasonably say your security standards are
>at all trustworthy, because you simply wouldn't know if your *new* version
>had a *new* trapdoor. People source check PGP, but have you actually checked
>the CKT coding of your version yourself?
yes, as it happens. I even had to get a couple of files missing from
the original archive that weren't on the server they were supposed to
be on (graphics files, not important ones :+) The only bit I had any
concerns over was the random number generator (because it is
DRASTICALLY different from the old DOS days) and that is identical to
the "official" build, as is the CAST code. I actually have MORE trust
in the ckt source, as I have looked at and built from that myself, but
have only glanced at the official archive.
> Because only the creator seems
> ready to back up it is secure. If your whole security is based on the sayso
> of a person you don't know and have never met, might I introduce you to the
> code wheel (A=1, B=2, C=3).
it's odd you worry about this, but are willing to endorse the
"official" build direct from NAI, which is not only on the sayso of
the authors, but on the sayso of authors you don't even know the names
of :+)
John Driscoll
not a single person about who seriously claims it has a backdoor. I have
seen thousands of people from all walks of life back up PGP. When you cannot
get a person you trust to verify something, you have to see what the masses
say. It might be possible to recruit a hundred volunteers on the govt.
payroll to go about spreading the word of a phony encryption tool, but I
have seen more people than this back up pgp. And anyway, I am not worth 100
people, so I draw the conclusion PGP is secure.
I also know that CKT builds of PGP are ones which individuals have altered.
I know a trapdoor will not be visible to me. I know how easy it would be to
work off a 'private adgenda' with these unofficial releases. And I know that
while I have a healthy interest in programming, I am not capable of
understanding all the lines of code which go into the making of PGP.
So I can't actually verify the code myself. The man the world is
scrutinising to keep him clean of corruption (Phil Zimmermann) says "Don't
use CKT". The masses have stopped being useful, because they all use &
scrutinise PGP, but not the CKT versions...
Now you see the options for making sure I am not being taken for a ride are
all run out. I definately cannot trust CKT builds. You say you have checked
the code, and entirely understand what you found, and also feel it is
backdoor free... CONGRATULATIONS!!! But perhaps I should tell you you are
probably in the minority, because many of us love security, but are not A
class programmers. Bummer, huh?
John D
Dave Howe <DHowe@hawkswing> wrote in message
news:kh+OOJ2KwI8i2g...@4ax.com...
> In our last episode (<alt.security.pgp>[Tue, 25 Jan 2000 14:40:45
> -0000]), "John Driscoll" <in...@spamdriscoll5.freeserve.co.uk> said :
> >The main advantages you outline below are minimal ones, such as slight
GUI
> >advances.
> I didn't really go into detail - If you look at the difference between
> 5.5.3ckt and the official release, there are some important bugfixes
> (for example, the wipe utility as shipped had a bug and didn't work
> properly) but of course the 6.x releases also fixed those, and the
> difference between 6.x and 6.x(ckt) is less.
>
> >You appear to think a larger key size means greater security. IT DOES
NOT.
> >Sent out with the CKT version I downloaded was a letter from Phil
Zimmermann
> >going into detail about why the larger keys made by CKT versions do not
> >affect the security level.
> yes, and the ckt team make a point of including it. So? much as I
> respect PZ, he was looking in the wrong place. saying not to make a
> master key stronger than a session key is just *wrong* - each master
> key protects MANY session keys - how many session keys must they break
> to have access to all your mail?? now, how many master keys do they
> need to give the same effect? if you have 'n' messages you wish to
> protect, then your master key must be HARDER to break than 'n' session
> keys - and 'n' increases over time.
>
> >He makes this point quite clear. Something about
> >there are other parts of the key you also have to alter in order to get
> >greater security levels. I have already published his letter once...
check
> >the old messages.
> no, that was in relation to digital signatures. As a digisig is an
> encryption of a hash of the message, the hash function must be harder
> to attack than the encryption, or the signature is only as secure as
> the hash function. This is not news, and doesn't effect the value of
> the key for encryption, just it's value for signatures involving that
> hash. I'd hate to have to upgrade my key if they upgrade the hash.
> >
> >As for CKT in general, my key point stands... CKT is PGP which you KNOW
has
> >been altered by persons whom you do not know. The world says Phil
Zimmermann
> >is commited to security and nothing else, but they do not say that about
> >each and every CKT version builder.
> PZ no longer writes PGP. The existance of the ckt builds INCREASES my
> trust of the package as a whole. Imad has had to look at the code in
> order to patch it - so that is one person more who has a history of
> trustworthyness (if not quite as trusted as PZ - sorry Imad :+) who
> has inspected the code - and a simple diff from the "official" pgpi
> source will let you identify all the changes he has made.
>
> >Therefore, unless you know and trust the
> >CKT version creator, you cannot reasonably say your security standards
are
> >at all trustworthy, because you simply wouldn't know if your *new*
version
> >had a *new* trapdoor. People source check PGP, but have you actually
checked
> >the CKT coding of your version yourself?
> yes, as it happens. I even had to get a couple of files missing from
> the original archive that weren't on the server they were supposed to
> be on (graphics files, not important ones :+) The only bit I had any
> concerns over was the random number generator (because it is
> DRASTICALLY different from the old DOS days) and that is identical to
> the "official" build, as is the CAST code. I actually have MORE trust
> in the ckt source, as I have looked at and built from that myself, but
> have only glanced at the official archive.
>
> > Because only the creator seems
> > ready to back up it is secure. If your whole security is based on the
sayso
> > of a person you don't know and have never met, might I introduce you to
the
> > code wheel (A=1, B=2, C=3).
flare...@icqmail.com
Hash: SHA1
Bad thing :(
The only version that seems to work for me are the CKT versions. The
offical ones don't work. So I guess I'll have to use CKT or abandon PGP.
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2ckt
Comment: PGPi available at http://www.pgpi.org/
Comment: KeyID: 0x5A7387AF
Comment: Fingerprint: 9A15 B3A0 68BE 08B3 9FC9 DA57 A2B9 C7B1 5A73 87AF
iQA/AwUBOI9zFKK5x7Fac4evEQLcvwCfZh7RMSYaBMSRF9IZ/NVItiF495cAoPwA
CW+YmTyjqBUe6tn8IL2s9/oM
=nfRQ
-----END PGP SIGNATURE-----
-----------------------------------------------------
PGP key:0x5B70E7A5 3072/1024 DH/DSS
Fingerprint:10BC 8849 4215 537D 89E5 1C85 12AA E55C 5B70 E7A5
John Driscoll
control was a good idea, and got rid of your constant swearing...
Little boy, do you have anything which is actually serious to say to this
Newsgroup? We are clever people here, and we come specifically to discuss
the higher end ins and outs of PGP and security software in general. Not who
we'd put on our top ten assholes of the year list.
You discuss having a wife and kids. I don't believe you. No self respecting
adult talks with half the immaturity you used in your note.
I don't believe you had one remotely intelligent or relevant comment in that
whole mess. To summarise, you just swear, and say you like CKT versions.
Please take this rubbish from this newsgroup, and seek medical advice.
Volume Control <n2w...@caliope12.com> wrote in message
news:27225440.19f1d18@nowhere_never.com...
> On Thu, 27 Jan 2000 08:04:26 GMT, flare...@icqmail.com wrote:
>
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA1
> >
> >Bad thing :(
> >The only version that seems to work for me are the CKT versions. The
> >offical ones don't work. So I guess I'll have to use CKT or abandon PGP.
> >
> Geeez! John Driscoll - is he a 'real' human or a robotic prat from the
> outer reaches of the neversphere?
>
> This has to be the most boring thread I've come across, started by
> some eggheaded stupid pseudo-intellectual spouting verbal garbage,
> trying to substantiate and differentiate between various versions of
> PGP.
> I don't give a fuck about whether CKt versions of PGP use key lengths
> of 1 million or 120 bytes. What a fucking stupid diatribe. Who gives a
> nats ass about Phil Zimmerman's NFO. He was just making a comment on
> key length. Period. We don't have to rewrite the anals of PGP based on
> a single NFO because some cretin decides to turn that NFO into his
> personal security crutch. It really doesn't matter whether CKt makes
> larger keys than the standard version. What matters is that it works,
> is reliable and is a version that had evolved directly as a result of
> user interaction and feedback. The reason I will always use CKt is
> that I, my wife and others I know, helped beta test it, and it works
> the way it does because of imputs we, and others have made. I like it
> because it does want I want. It is no better or weaker than the
> official version, but it's useability works the way I want it to. OK?
> Is that a good enough reason for using a piece of software. Fuck you
> John Driscoll. The product works, the official PGP version sometimes
> doesn't work. CAN YOU UNDERSTAND THAT YOU DUMB SHIT.
> Go and take your mealy mouthed piss shit brain elsewhere and start a
> some other pseudo intellectual claptrap on another group. I suggest
> the merits of food distribution in an ant colony should suffice. I'm
> sure you'll get some takers somewhere. In the meantime, the rest of us
> can get on with our lives using products we're happy to use without
> having archaic arrogant statements from some 'newbie' cretin telling
> us to stay away from products we've being using for years. I don't go
> telling John Driscoll how to wipe his pokey ass, so I don't expect, or
> like it when he presents a totally unfounded opinion on the group,
> dressed up as some dire technological warning about the dangers of
> using a piece of 'non standardised' software. Go and take a crap in
> somebody elses' kitchen sink you asshole. We don't need to read what
> you've endorsed, or what you've eaten for breakfast and as the
> majority of folks on this group, (with the exception of John
> Driscoll), appear intelligent, rational and logical contributors, we
> are fully able to rationalise the relative risks of the security of
> the products we use, against the integrity of its developers.
> I suggest next time you use what little grey matter you have in your
> erstwhile 'dick' before uttering elaborate casuistries about matters
> which you know absolutely nothing about, or you wouldn't go around
> quoting extracts from Phil Zimmerman.
>
> Yes, you've been flamed you little piece of dog-shit, and by the way,
> you've also earned the single most achievement of being the ONLY
> 'idiot' in 3 years on this group of EVER making it to my kill filter.
> Welome
> Plonk!
Dave Howe
>not a single person about who seriously claims it has a backdoor. I have
>seen thousands of people from all walks of life back up PGP. When you cannot
>get a person you trust to verify something, you have to see what the masses
>say. It might be possible to recruit a hundred volunteers on the govt.
>payroll to go about spreading the word of a phony encryption tool, but I
>have seen more people than this back up pgp. And anyway, I am not worth 100
>people, so I draw the conclusion PGP is secure.
couldn't possibly have gotten an "official" build from NAI, as the
server wouldn't allow you to download it - you must have a Replay or
PGPi build.
Somewhere along the line, you are having to trust *someone* to have
gotten you the installer.
>I also know that CKT builds of PGP are ones which individuals have altered.
>I know a trapdoor will not be visible to me. I know how easy it would be to
>work off a 'private adgenda' with these unofficial releases. And I know that
>while I have a healthy interest in programming, I am not capable of
>understanding all the lines of code which go into the making of PGP.
few people are. I don't claim to have verified all of the code - I am
a decent coder, but only a cookbook cryptographer - but I can and did
take a Diff of the source files from the the "clean" copy held at
pgpi. That I therefore have to trust that pgpi themselves haven't
trojaned it is a given :+)
>So I can't actually verify the code myself. The man the world is
>scrutinising to keep him clean of corruption (Phil Zimmermann) says "Don't
>use CKT". The masses have stopped being useful, because they all use &
>scrutinise PGP, but not the CKT versions...
I would be surprised if PZ actually carefully scrutinized the source
before a new release was built, and used his own, known good compiler
to do so. He has sold his company and all rights to PGP to NAI, for
good or for ill, and we have to live with it.
>Now you see the options for making sure I am not being taken for a ride are
>all run out. I definately cannot trust CKT builds. You say you have checked
>the code, and entirely understand what you found, and also feel it is
>backdoor free... CONGRATULATIONS!!! But perhaps I should tell you you are
>probably in the minority, because many of us love security, but are not A
>class programmers. Bummer, huh?
You don't have to be. all I am saying is you are trusting people
ANYWAY, and while you don't know those involved at ckt, you don't know
the NAI programming team either.
John Driscoll
I do not trust middlemen, unless I have a promise I can trust them.
In this case, I emaild Phil Zimmermann himself before getting a pgpi copy of
pgp. I asked him "Can I trust the PGPI site? Can YOU verify it is totally
secure".
I received an email back about two days later saying "Yes, I can verify it
is safe". That was goo enough for me. If I have to trust someone, and I do,
I make it the man the world watches...
JDD
Dave Howe <DHowe@hawkswing> wrote in message
news:QgySOFPsrXAPbR...@4ax.com...
> In our last episode (<alt.security.pgp>[Wed, 26 Jan 2000 16:38:55
> -0000]), "John Driscoll" <in...@spamdriscoll5.freeserve.co.uk> said :
> >The only reason I endorse the official version of PGP is because there is
> >not a single person about who seriously claims it has a backdoor. I have
> >seen thousands of people from all walks of life back up PGP. When you
cannot
> >get a person you trust to verify something, you have to see what the
masses
> >say. It might be possible to recruit a hundred volunteers on the govt.
> >payroll to go about spreading the word of a phony encryption tool, but I
> >have seen more people than this back up pgp. And anyway, I am not worth
100
> >people, so I draw the conclusion PGP is secure.
> It's a nice theory - unfortunately, given you are in .uk, you
> couldn't possibly have gotten an "official" build from NAI, as the
> server wouldn't allow you to download it - you must have a Replay or
> PGPi build.
> Somewhere along the line, you are having to trust *someone* to have
> gotten you the installer.
>
> >I also know that CKT builds of PGP are ones which individuals have
altered.
> >I know a trapdoor will not be visible to me. I know how easy it would be
to
> >work off a 'private adgenda' with these unofficial releases. And I know
that
> >while I have a healthy interest in programming, I am not capable of
> >understanding all the lines of code which go into the making of PGP.
> few people are. I don't claim to have verified all of the code - I am
> a decent coder, but only a cookbook cryptographer - but I can and did
> take a Diff of the source files from the the "clean" copy held at
> pgpi. That I therefore have to trust that pgpi themselves haven't
> trojaned it is a given :+)
>
> >So I can't actually verify the code myself. The man the world is
> >scrutinising to keep him clean of corruption (Phil Zimmermann) says
"Don't
> >use CKT". The masses have stopped being useful, because they all use &
> >scrutinise PGP, but not the CKT versions...
> I would be surprised if PZ actually carefully scrutinized the source
> before a new release was built, and used his own, known good compiler
> to do so. He has sold his company and all rights to PGP to NAI, for
> good or for ill, and we have to live with it.
>
> >Now you see the options for making sure I am not being taken for a ride
are
> >all run out. I definately cannot trust CKT builds. You say you have
checked
> >the code, and entirely understand what you found, and also feel it is
> >backdoor free... CONGRATULATIONS!!! But perhaps I should tell you you are
> >probably in the minority, because many of us love security, but are not A
> >class programmers. Bummer, huh?
Dave Howe
>
>I do not trust middlemen, unless I have a promise I can trust them.
>
>In this case, I emaild Phil Zimmermann himself before getting a pgpi copy of
>pgp. I asked him "Can I trust the PGPI site? Can YOU verify it is totally
>secure".
>
>I received an email back about two days later saying "Yes, I can verify it
>is safe". That was goo enough for me. If I have to trust someone, and I do,
>I make it the man the world watches...
I imagine if you are going to trust ANYONE else's opinion on if a
given non-NAI build is valid, PZ will be top of the list :+)
Dave Howe
GMT]), flare...@icqmail.com said :
>Bad thing :(
>The only version that seems to work for me are the CKT versions. The
>offical ones don't work. So I guess I'll have to use CKT or abandon PGP.
however, I haven't upgraded from 5.5.3 yet - partly because I don't
have VC6, so can't compile my own, but mostly because I can't see the
additional "features" of 6.x as worth the effort. I can use SSH if I
want a secure link, and it works right through firewalls/spoofing
proxies and the internet.