[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Apology to Dale Thorn



William H. Geiger III wrote:
> In <[email protected]>, on 11/09/96 at 04:38 PM,
>    Dale Thorn <[email protected]> said:

[snip]

> I am confused by Dale's repeated attacks on PGP without offering viable
> alternatives for a public-key encryption system.
> Sorry, I'll try to rember ot count to 10 before I post replies to the list. :)

I've made errors attributing stuff to wrong parties (oops, cringe).

And I apologize for not offering a viable alternative to PGP.

In another posting, I made a suggestion for making the source code to
PGP *really* public, i.e., in a form that the average programmer can
verify and edit (for personal use only, of course).

I'm tending to think that, instead of using PGP for all encoding (even
though it may have multiple facilities for all situations), a message
could be encrypted with a good trusted private-key system or whatever,
then the private key encrypted with the Public Key software and sent
either separately or with the message.

The above might be more cumbersome, but it could be automated with
messaging automation techniques. At least it would reduce the dependence
on PGP to encrypting only the private key(s), which would encourage using
PGP at its most secure (slowest) level of encryption for the entire process
of encrypting the private key data.  As an aside to OTP's, this would not
apply for obvious reasons, i.e., the length of the key.

Of course, this still requires validation of PGP in whatever portion of
the code would be required to encode the private key.  My recommendation
for really serious users would be to separate out that code and recompile
it separately from the remainder of PGP (for personal use only, of course).

And in case it got lost in my rhetoric, I do appreciate that there's no
substitute for the Public Key process.