[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re, PGP bastardization (fwd)



I was shocked to receive an E-mail from Phill Zimmermann.
Here is my reply to his E-mail.

From: Philip Zimmermann <[email protected]>
>Tom, I hear that you are distributing a modified version of PGP that 
>uses a different customized encryption algorithm of your own design.
 
I have pieced together a multiple cipher that consists of the chain
IDEA-TRAN-IDEA-TRAN-IDEA. Where IDEA is the same IDEA (128 bit key +
64 bit IV) algorithm that pgp uses and TRAN is a byte transposition
across the 4K buffer block (each tran uses 32 bit key). Thus giving
this multiple cipher a keyspace of 640 bits.
 
I have made modifications to pgp that will let a user _optionally_
use this alogrithem instead of the single IDEA cipher. This change
was made to show pgp versitility and usefullness in transporting
an unweildly large conventional key with ease. On decrypting, the
modification detects which type of key is in the RSA packet and then
invokes the proper algorithm. Please note that the origional cipher
algorithems are intact and are used as the default method.
 
>If you read the "Snake Oil" section of the PGP User's Guide, then you
>know how I feel about amateur cryptographer's encryption algorithms
>that have not been subjected to extensive peer review.
 
Well, It is true that I am _not_ being paid for this software. It
is my hobby. And I don't care how you feel about my hobby.
Please feel free to make any constructive comments about the
algorithm.
 
>PGP's reputation, and my repuitation (which is tied to PGP), depends
>of people trusting the quality of encryption algorithms and protocols
>that I have carefully selected for PGP, using all of my knowledge and
>experience.  If someone were to put a new encryption algorithm into
>PGP without my permission, it could serve to tarnish the reputation
>that PGP has earned over the years.
 
I am a little confused about this statement. The following (2)
paragraphs came from the a pgp.c source file.  So, I don't see
that my small changes can damage your reputation.
 
    (c) Copyright 1990 by Philip Zimmermann.  All rights reserved.
    The author assumes no liability for damages resulting from the use 
    of this software, even if the damage results from defects in this 
    software.  No warranty is expressed or implied.  
 
    All the source code I wrote for PGP is available for free under 
    the "Copyleft" General Public License from the Free Software 
    Foundation.  A copy of that license agreement is included in the 
    source release package of PGP.
 
>Accordingly, I do not approve of anyone modifying the cryptographic
>characteristics of PGP.  PGP and Pretty Good Privacy are my trademarks,
>and their good name is trusted the world over because of the care that 
>I have exercised in selecting its algorithms.
 
I believe that you have released the pgp software under the Free
Software Foundation "Copyleft" License.
 
>If you'd like to write your own cryptographic utility, using your own
>algorithms and protocols, I have no problem with that.  But I do not 
>want my program, my documentation, my name, and my trademarks, to be
>used for products that may have flawed algorithms.
 
Let me show you a paragraph from the "Copyleft" License that you
released the pgp program under.
 
    The license agreements of most software companies try to keep users
    at the mercy of those companies.  By contrast, our General Public
    License is intended to guarantee your freedom to share and change free
    software--to make sure the software is free for all its users.  The
    General Public License applies to the Free Software Foundation's
    software and to any other program whose authors commit to using it.
 
>I also have no problem with you modifying PGP for your own private
>use, if you like to experiment with new algorithms of your own design.
>But I do not want you to distribute such a program to others, if it uses
>my code, my manuals, my name, and my trademarks.  It could hurt my
>reputation and PGP's reputation.
 
I guess that I will have to quote (2) more paragraphs from the
"Copyleft" License that you released the pgp program under.
 
    When we speak of free software, we are referring to freedom, not
    price.  Specifically, the General Public License is designed to make
    sure that you have the freedom to give away or sell copies of free
    software, that you receive source code or can get it if you want it,
    that you can change the software or use pieces of it in new free
    programs; and that you know you can do these things.
 
    To protect your rights, we need to make restrictions that forbid
    anyone to deny you these rights or to ask you to surrender the rights.
    These restrictions translate to certain responsibilities for you if you
    distribute copies of the software, or if you modify it.
 
>If I am misinformed on this subject, please let me know and accept
>my apology for assuming too much.  Otherwise, I'd like you to remedy
>the situation.  Please let me know what has happened and what we can
>do about it.
 
I believe that you may by misinformed.  I hope that I have made my
position clear. You relesased the pgp program under the "Copyleft"
License. I have the right to change the software or use pieced of it.
I am protected from you trying to deny me those rights.
 
>Sincerely,
>Philip Zimmermann
>[email protected]
 
Sincerely,
Tom Rollins
<[email protected]>