[7114] in cryptography@c2.net mail archive
Re: Critics blast Windows 2000's quiet use of DES instead of 3DES
daemon@ATHENA.MIT.EDU (L. Sassaman)
Wed May 17 23:40:05 2000
Date: Wed, 17 May 2000 19:00:32 -0700 (PDT)
From: "L. Sassaman" <rabbi@quickie.net>
To: John Young <jya@pipeline.com>
Cc: John Gilmore <gnu@toad.com>, cryptography@c2.net
In-Reply-To: <200005171556.LAA11185@tisch.mail.mindspring.net>
Message-ID: <Pine.LNX.4.21.QNWS_2.0005171855120.14724-100000@thetis.deor.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wed, 17 May 2000, John Young wrote:
> While John may be speculating about NSA subversion of strong crypto,
> specific examples of this would be very helpful. Here are a few firms
> for consideration as candidates for today's Crypto AGs besides Microsoft
> (meaning latest products, not those that have been suspected in the past):
>
> Cylink
> IBM
> Lotus
> TIS
> RSA
> PGP
PGP's source code has always been available for public review. This has
not changed. There are no "back doors" for the NSA in PGP, and PGP has
never supported weak (under 128 bit) encryption, and never will.
> Perhaps it would be fair to list all firms that are now exporting strong
> crypto if John's speculation is accurate.
His speculation, however, is also based on the fact that Microsoft uses
DES with its security products.
> How to get any compromise out in the open is the question. Presumably,
> secrecy agreements or NDAs are in effect for any complicit firm and its
> employees.We've gotten a couple of anonymous letters recently about
> Cylink but nothing on the others.
Well, I can tell you that my NDAs do not cover secrecy agreements for
compromises made with the NSA. If PGP were in any way compromised by the
NSA (or any other party, for that matter) I would not be working here.
Look at the code.
> Duncan Campbell's exchanges with Microsoft have been squelched
> by MS, but one final exchange is in the works which summarizes
> what MS has publicly stated and what suspicions remain unanswered.
> Similar queries in depth could be made to the other crypto exporters,
> if for no other reason than to assure their foreign customers that they
> can take and answer hard criticism. Otherwise, suspicions of
> complicity may undermine credibility of all US crypto products.
I think that PGP has done just about everything that we can to assure the
users that our software is not in any way compromised. If there is
anything else we can do I would like to know about it.
__
L. Sassaman
System Administrator | "Everything must end;
Technology Consultant | meanwhile we must
icq.. 10735603 | amuse ourselves."
pgp.. finger://ns.quickie.net/rabbi | --Voltaire
-----BEGIN PGP SIGNATURE-----
Comment: OpenPGP Encrypted Email Preferred.
iD8DBQE5I07HPYrxsgmsCmoRAh+dAKC+5wwI09TXrbXvAv/OpMgD1lJyewCdGLi5
iynCfAueqfhIHfyoq4VOv7Y=
=rgGw
-----END PGP SIGNATURE-----
