home *** CD-ROM | disk | FTP | other *** search
- Xref: sparky sci.crypt:6535 alt.security:5283 alt.security.pgp:466
- Newsgroups: sci.crypt,alt.security,alt.security.pgp
- Path: sparky!uunet!zaphod.mps.ohio-state.edu!darwin.sura.net!wupost!usc!cs.utexas.edu!torn!nott!uotcsi2!news
- From: cbbrowne@csi.uottawa.ca (Christopher Browne)
- Subject: Re: PGP 2.1 source posted to alt.sources
- Message-ID: <1993Jan8.155007.16181@csi.uottawa.ca>
- Sender: news@csi.uottawa.ca
- Nntp-Posting-Host: prge
- Organization: Dept. of Computer Science, University of Ottawa
- References: <1993Jan7.115335.1216@cs.aukuni.ac.nz> <C0IFAw.3vy@bcstec.ca.boeing.com>
- Date: Fri, 8 Jan 93 15:50:07 GMT
- Lines: 27
-
- In article <C0IFAw.3vy@bcstec.ca.boeing.com> vanzwol@bcstec.ca.boeing.com (Ted Van Zwol) writes:
- >This intrigues me. I'm not accusing you (Peter) of anything, but consider:
- >
- >How do we know the PGP sources on alt.sources (or even that on any FTP site
- >for that matter) are "safe". What kind of precautions or checks exist to
- >prevent bogus code from cropping up. Why couldn't some intelligence agency
- >get their hands on the code and weaken the encryption algorithm just enough
- >for them and then distribute the modified source to the rest of the world.
- >
- >I haven't looked at the source or the comments myself, so I don't know if
- >this is already addressed. But, it concerns me. Who's to say the copies of
- >PGP available are trustworthy? I'm terribly confused...
-
- The best idea would probably be to have an MD5 signature of (say) the actual
- text of each post appended to the end. Said signatures could then be
- published either in:
- a) sci.crypt
- b) Some moderated newsgroup?
- c) The C Users Group magazine?
-
- or somewhere such.
-
- --
- Christopher Browne | PGP 2.0 key available
- cbbrowne@csi.uottawa.ca |======================================
- University of Ottawa | Genius may have its limitations, but
- Master of System Science Program | stupidity is not thus handicapped.
-
