Re: Help spread strong cryptography now!

Bruce Stephens wrote:
"privacy concerned" <privacyconcerned@xxxxxxxxx> writes:


The reason you trust PGP/GPG more than EaSecure is only because
PGP/GPG has been around much longer. There is no fundamental
difference in encryption strength and other quality between the two.

The former is obviously not true: we trust PGP and GPG more because
they've been studied more, and because they *can* be studied more (the
design's public, RFC 2440, and the source code for various versions is
publically available (possibly all versions; I'm not entirely sure
about PGP, though, maybe some versions were binary only?)).

EaSecure might be soundly designed and implemented, but it's hard to
say. (Well publicised bugs have been found in GPG, after all;
presumably there are some in EaSecure, too.)

So why take the risk, particularly when it requires paying money to
some random US company, and using not just Windows, but apparently
IE6, too?

(Not that I'm especially sceptical about this particular product. I'm
doubtful of the notion of any product that makes this kind of thing
"simple". Doing it properly seems to me to require a certain amount
of care on the part of users, and it's that necessary care that's
mostly what makes things a bit tricky to use. Once you've eliminated
those subtleties (concerning knowing whose keys you're actually using
to encrypt with, whose key was used to sign a message, etc.), I
suspect the "2048 bit RSA" and "AES256" and stuff is mostly

If EaSecure publishes the design and source code, will you trust it
then? This may happen after some IP rights (such as patents) are