Re: Encryption

From: Tom Arseneault (
Date: 01/14/02

Date: Mon, 14 Jan 2002 13:59:29 -0800 (PST)
From: Tom Arseneault <>
To: Robin Lynn Frank <>

I agree with Seth Arnolds reply to this message and just have the
following to add: One of the reasons that Phil Zimmerman left NAI is that
they stopped releasing the source code for peer review though he did say
that the current version, up until he left was still secure. To which I
assume that he meant that the crypto routines were left untouched and it
was just UI stuff that was modified.

Also GPG does not use patented algorithms such as IDEA and until recently
RSA (1.06 includes it). It does include all the normal algorithms that one
would expect: DES, 3DES, Blowfish, MD5, SHA-1, etc... which are all well
understood algorithms so I would not worry too much about them. I can't
comment on key generation since I do not know what either one uses but I
do know that from a quick (very guick) survey of bug reports the key
gerneration, handling was where most bugs were found, and not in the
encryption algorithms. I don't know of any current GPG bugs.

I have been doing some experiments between PGP and GPG and as far as I can
tell messages can be transfered easily between the two systems (current
versions at least). The only major difference I found between to two
systesms is that PGP seems to have a more fleshed out key sharing system.
PGP seems to be able to use x.509 (ldap) systems as well as HTP, email and
FTP key server while GPG does not understand x.509. From a note I found on
the GPG site (paraphrased, as I can't recall the exact wording) "...GPG
and x.509 are competing standards..." so I would not expect it to support
x.509 anytime in the near furture.

There is something to be disscussed about the relative security arising
from using x.509 or the "Web of Trust". i.e how do you trust the key you
get off of a public key server? x.509 says trust the CA to have signed a
proper key, while the "Web of Trust" says "I trust Dan, Dan trusts Sam,
but, do I trust Dan enought to trust Sam?". This leaves an awful lot on
the sholders of end user to get it right, but it does not rely on a
central authority to be up and running all the time so it is more roubust.
How x.509 works is an assumption on my part, I'm not an LDAP expert. If
there are any experts out there that know different please chime in.

My $.02 worth...

Tom Arseneault
Sys. Admin.

P.S. <CYOA>Phil Zimmerman's note did not come right out and say that was a
reason for his leaving NAI but he went to such great lengths to ensure you
understood this point that it's an assumption on my part. If I'm wrong in
my assumption please accept my apology to Phil and NAI</CYOA>

On Sat, 12 Jan 2002, Robin Lynn Frank wrote:

> Does anyone know of any definitive study of the relative security of
> PGP6.5.8 vs. GnuPG 1.06
> --
> Robin Lynn Frank