Mailing List Archive: phil zimmerman on GPG

phil zimmerman on GPG

jsaylor at mediaone

Sep 8, 2000, 5:17 PM

Post #1 of 6 (453 views)

Hi

There was a "chat" with Mr. Z on a website recently [.no URL, but I found
it through /. and could find it again if pressed]. People sent email and
he responded.

One questioner brought up GnuPG and he dissed it. Saying that the
modular design [plugable algorithms] was a weakness not shared by PGP.
He also said blowfish sucked [twofish is much better], and ElGamal was
weak [DSS better].

Did anyone else see this? Comments?

--
\js

Never draw fire; it irritates the people around you.

Re: phil zimmerman on GPG [ In reply to ]

brenno at dewinter

Sep 8, 2000, 10:54 PM

Post #2 of 6 (451 views)

John,

That's funny. Bruce Schneier himself said on Twofish last year on Rootfest
that he would not use it yet, because it was to new. He had more confidence
in Blowfish sofar .... So who should we believe. Werner ... you be the judge.
.... the part of plugable algorithms do not make too much sense to me, but
maybe I'm just missing the point here. Without denying what Phil Zimmerman
did for the PGP-world, I think his point of view is not unbiassed. Especially
on the recent news around PGP (something I heard before in June, but refused
to believe back then, since the person he claimed it couldn't prove it to
me). The fact that PGP currently is a part of Network Associates, which
according to some people has strong ties with the US Government concerned me
for some time already. From that point-of-view GnuPG is a very important
development!

Cheers,

Brenno.

--
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of "unsubscribe" to gnupg-users-request@gnupg.org

Re: phil zimmerman on GPG [ In reply to ]

richard at sheflug

Sep 9, 2000, 2:37 AM

Post #3 of 6 (453 views)

Dear All

"Brenno J.S.A.A.F. de Winter" wrote:
>
> John,
>
> That's funny. Bruce Schneier himself said on Twofish last year on Rootfest
> that he would not use it yet, because it was to new. He had more confidence
> in Blowfish sofar .... So who should we believe. Werner ... you be the judge.

I was taught an old joke by the British Army back in 1988. That was
when I was still something to do with the services in the UK. It goes
like this......

BLOWFISH: Something that you can use between the wife's legs when you
are too tired to do anything for her (you know how it is ? All those
assault course tire you out ? )

TWOFISH: Something that you can use on the wife and the mistress as
well at the same time when you are too tired to do anything for either
of them.

Perhaps someone may not be telling the truth on this list ?

Thanks

--
Richard
Sheffield Linux
User's Group

http://www.sheflug.co.uk

--
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of "unsubscribe" to gnupg-users-request@gnupg.org

Re: phil zimmerman on GPG [ In reply to ]

Sep 11, 2000, 2:06 AM

Post #4 of 6 (453 views)

On Sat, 9 Sep 2000, Brenno J.S.A.A.F. de Winter wrote:

> That's funny. Bruce Schneier himself said on Twofish last year on Rootfest
> that he would not use it yet, because it was to new. He had more confidence
> in Blowfish sofar .... So who should we believe. Werner ... you be the judge.

I talked with Bruce about that and according to him he is sometimes
more convinced that Twofish is better and sometimes that Blowfish is
still better. Anyway, both are good algorithms and it does not
matter which one you use.

Yesterday I finished "Secrets & Lies" - it is a really good book,
nothing new but you don't see detail by detail but the whole
landscape. Really impressive. There is an attack tree for PGP in
it (it is also somewhere on counterpane.com) and if you look at it
you will be convimced that it does not matter whether you use
Blowfish, Twofish, CAST5, 3-DES, IDEA (or vene single DES).

> .... the part of plugable algorithms do not make too much sense to me, but
> maybe I'm just missing the point here. Without denying what Phil Zimmerman

We need them as a workaround for the patented algorithms and they
are nice when using gpg for experiments. They add complexity and
therefore they increase the risk of security bugs. However it is
not a vulnerability - it doesn't matter whether you are able to
change a module, gpg itself, libc, libz, libintl, the kernel or the
microcode (how would you call that in the Crusoe ship?) of the CPU.

I think I have always talked fair about PGP and when some time ago
Phil gave me a phone call to ask me to remove some unfair statements
from the GnuPG website I promised to check this. I did not found
such a thing and he didn't answered my mail to tell me the URL of
that statement. I have not yet read that interview but I hope that
the things mentioned here are out of context. I am regulary
exchanging mails with some of the PGP developers to make sure that
our implementaions are interoperable (more or less). I am quite
confident that the PGP developers are trustworthy - however there is
also the management and the CD production and I do not have any
opinion of them ;).

Werner

--
Werner Koch GnuPG key: 621CC013
OpenIT GmbH http://www.OpenIT.de

Re: phil zimmerman on GPG [ In reply to ]

brenno at dewinter

Sep 11, 2000, 2:57 AM

Post #5 of 6 (464 views)

Dear all,

> We need them as a workaround for the patented algorithms and they
> are nice when using gpg for experiments. They add complexity and
> therefore they increase the risk of security bugs. However it is
> not a vulnerability - it doesn't matter whether you are able to
> change a module, gpg itself, libc, libz, libintl, the kernel or the
> microcode (how would you call that in the Crusoe ship?) of the CPU.
Point taken and I fully agree on that one.

> I think I have always talked fair about PGP and when some time ago
> Phil gave me a phone call to ask me to remove some unfair statements
> from the GnuPG website I promised to check this.
Hmm that amazes me. I agree I was not able to catch you on faul play
yet. And I remember your fair and helpful attitude last year when I was
in desperate need of encryption for windows you even pointed me towards
PGP and that time. I sometimes got the feeling he is under some pressure
from his employer or so. It is a fact that the US government is not too
keen about this project, however you do nothing wrong. Even better ...
on the long term two compatible products may help both sides (marketing
mechanism). Companies in general will not run towards GPL-ed software
and smaller companies will (mostly the same that use now illegal copies
of software). So you are surely not such a big threat to Network
Associates.

> I did not found
> such a thing and he didn't answered my mail to tell me the URL of
> that statement.
Hmm too bad. A mail "sorry I was wrong" would make him more a gentleman.

Cheers,

Brenno J.S.A.A.F. de Winter
De Winter Information Solutions

--
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of "unsubscribe" to gnupg-users-request@gnupg.org

Re: phil zimmerman on GPG [ In reply to ]

jsaylor at mediaone

Sep 11, 2000, 6:05 PM

Post #6 of 6 (450 views)

Hi

Here are the URLs for the zimmerman quotes:
[.this one has the note about blowfish &c. but the URL is so weird ...]
http://forums.itworld.com/webx?7@237.0SmbaQ6Icbc^0@.ee6caf5/28!skip=-1

[here's a more likely one]
http://forums.itworld.com/webx?14@@.ee6caf5

The one I paraphrased has this timestamp:
Sep 7, 2000 11:55pm EDT

It's an online forum where Q&A is done, the pages are generated instead
of being static, so you'll have to dig a bit to find it.

Incidentally, does anyone know what's going on with these webx URLs?

--
\js

We live in a moment of history where change is so speeded up that we begin to
see the present only when it is already disappearing.
-R. D. Laing, The Politics of Experience