phil zimmerman on GPG

Werner Koch wk@gnupg.org
Mon, 11 Sep 2000 11:06:44 +0200 

--ikeVEW9yuYc//A+q
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, 9 Sep 2000, Brenno J.S.A.A.F. de Winter wrote:


> That's funny. Bruce Schneier himself said on Twofish last year on Rootfest

> that he would not use it yet, because it was to new. He had more confiden=

ce

> in Blowfish sofar .... So who should we believe. Werner ... you be the ju=

dge.

I talked with Bruce about that and according to him he is sometimes
more convinced that Twofish is better and sometimes that Blowfish is
still better.  Anyway, both are good algorithms and it does not
matter which one you use.

Yesterday I finished "Secrets & Lies" - it is a really good book,
nothing new but you don't see detail by detail but the whole
landscape.  Really impressive.  There is an attack tree for PGP in
it (it is also somewhere on counterpane.com) and if you look at it
you will be convimced that it does not matter whether you use
Blowfish, Twofish, CAST5, 3-DES, IDEA (or vene single DES).


> .... the part of plugable algorithms do not make too much sense to me, but

> maybe I'm just missing the point here. Without denying what Phil Zimmerman


We need them as a workaround for the patented algorithms and they
are nice when using gpg for experiments.  They add complexity and
therefore they increase the risk of security bugs.  However it is
not a vulnerability - it doesn't matter whether you are able to
change a module, gpg itself, libc, libz, libintl, the kernel or the
microcode (how would you call that in the Crusoe ship?) of the CPU.

I think I have always talked fair about PGP and when some time ago
Phil gave me a phone call to ask me to remove some unfair statements
from the GnuPG website I promised to check this.  I did not found
such a thing and he didn't answered my mail to tell me the URL of
that statement.  I have not yet read that interview but I hope that
the things mentioned here are out of context.  I am regulary
exchanging mails with some of the PGP developers to make sure that
our implementaions are interoperable (more or less).  I am quite
confident that the PGP developers are trustworthy - however there is
also the management and the CD production and I do not have any
opinion of them ;).

 =20
  Werner
 =20
 =20
--=20
Werner Koch				GnuPG key:  621CC013
OpenIT GmbH                             http://www.OpenIT.de

--ikeVEW9yuYc//A+q
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.2 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE5vKCjbH7huGIcwBMRAjtsAKDGgGXFmYGBtcwJsdUTTOCPClJT0wCgnbck
x7sOi4gX4WfT4ITTaftVel4=
=uHZt
-----END PGP SIGNATURE-----

--ikeVEW9yuYc//A+q--

-- 
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of  "unsubscribe"  to gnupg-users-request@gnupg.org