Re: Privacy Software

[Adam Shostack <adam@homeport.org>]

Adam Back wrote:
| Monty Cantsin writes:

| > We should consider a rewrite, which gives us the added benefit that
| > it will be completely unencumbered.
| 
| Sounds maybe worth doing.
| 

Not maybe at all. The IETF will require a second, interoperable
implementation for standardization of OpenPGP.  Its sad that the
interoperable SSH was written for Pilots, since it uses some libraries
there that are not portable.

| > Something I've never liked about PGP is their approach to encrypting
| > to multiple keys.  For one thing, the PGP crowd seems overly
| > conservative with bit expenditure, which is silly because bits are
| > cheap.  This means that creating entirely separate messages is
| > completely economical.
| 
| This is more secure I agree.  The real kicker with this problem is
| people who turn on encrypt to self -- I don't want messages with
| encrypt to self (an extra door into the message) on them in my
| mailbox, nor coming over the wire headed to me.

Pretty Good, not Perfectly Strong.

Never underestimate the value of pretty good security.  The bad guys
use scanners that need to work in real time; even 40 bit crypto with a
30 second delay creates huge headaches.  I see a PGP encrypted
message, even with encrypt to self on as pretty good.  Sure, its not
sealed with a two color wax seal in a tyvek envelope, but its pretty
good.

Adam


-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume