Re: PGP Backdoor
From: Noah Salzman (nsalzman@ncircle.com)
Date: 11/26/02
- Previous message: Jeffrey Eliasen: "RE: RE: Wireless security and VPN"
- In reply to:(deleted message) Jay D. Dyson: "Re: PGP Backdoor"
- Next in thread: Chris Berry: "Re: PGP Backdoor"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 26 Nov 2002 10:34:00 -0800 From: Noah Salzman <nsalzman@ncircle.com> To: Security-Basics List <security-basics@securityfocus.com>
It's entirely a myth.
NAI acquired TIS and PGP and the two teams never intermingled, other
than both being on the 9th floor in Santa Clara. TIS was the only part
of the company that had any thing to do with Key Escrow.
The folks who ran the PGP group are the same group that are now
involved with PGP Incorporated. They have committed to publishing
source code (just as they did for a while at NAI before NAI executives
limited the practice to just the SDK code).
--Noah--
On Monday, November 25, 2002, at 11:11 PM, Jay D. Dyson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Fri, 22 Nov 2002, Ted Yav wrote:
>
>> My organization was considering buying PGP Corporate for encryption.
>> I
>> have heard rumors, however, that it was backdoored and therefore not
>> totally secure. Does anyone know whether this is true or just a myth?
>
> It's mostly a myth, though it is true that Network Associates,
> Inc. (NAI) was in bed with the Key Escrow movement[1]. This caused all
> manner of ill will between the crypto community and NAI during the time
> they owned PGP. Eventually there came a time when NAI's Additional
> Decryption Keys feature[2] bit them in the ass and showed how flawed
> the
> whole idea of "trusted third party" thinking really was.
>
> For my own part, I never trust anything that's closed source.
> It's said that the true test of a person's character is what they do
> when
> nobody's looking. Speaking solely for myself, I am not inclined to put
> much faith in the character of people I do not know.
>
> All told, I'd sooner recommend Gnu Privacy Guard (GPG) these days.
> It's just a better product overall.
>
> - -Jay
>
> 1.
> http://www.privacy.nb.ca/cryptography/archives/cryptography/html/1998-
> 11/0059.html
> 2. http://www.treachery.net/articles_papers/2000_09/pgp_adk.html
>
> ( (
> _______
> )) )) .--"There's always time for a good cup of coffee"--.
> >====<--.
> C|~~|C|~~| (>------ Jay D. Dyson -- jdyson@treachery.net ------<) |
> = |-'
> `--' `--' `------ Lead, follow, or get-out-of the way. ------'
> `------'
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.7 (TreacherOS)
> Comment: See http://www.treachery.net/~jdyson/ for current keys.
>
> iD8DBQE94x68TqL/+mXtpucRAg0SAJ42sv/tZfxGx5CewsMrAnZ0xb+hcACgrTcu
> FZv3rcs46tEuy3ehn7LTwpo=
> =E08d
> -----END PGP SIGNATURE-----
>
- Next message: d'Ambly, Jeff: "RE: Locking Cisco Router"
- Previous message: Jeffrey Eliasen: "RE: RE: Wireless security and VPN"
- In reply to:(deleted message) Jay D. Dyson: "Re: PGP Backdoor"
- Next in thread: Chris Berry: "Re: PGP Backdoor"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
