home *** CD-ROM | disk | FTP | other *** search
- Xref: sparky sci.crypt:6545 alt.security:5285 alt.security.pgp:468
- Newsgroups: sci.crypt,alt.security,alt.security.pgp
- Path: sparky!uunet!shearson.com!snark!pmetzger
- From: pmetzger@snark.shearson.com (Perry E. Metzger)
- Subject: Re: PGP 2.1 source posted to alt.sources
- Message-ID: <1993Jan8.173731.25964@shearson.com>
- Sender: news@shearson.com (News)
- Organization: Partnership for an America Free Drug
- References: <1993Jan7.115335.1216@cs.aukuni.ac.nz> <C0IFAw.3vy@bcstec.ca.boeing.com>
- Date: Fri, 8 Jan 1993 17:37:31 GMT
- Lines: 25
-
- vanzwol@bcstec.ca.boeing.com (Ted Van Zwol) writes:
- >In article <1993Jan7.115335.1216@cs.aukuni.ac.nz> pgut1@cs.aukuni.ac.nz (Peter Gutmann) writes:
- >>I have posted the PGP 2.1 sources to alt.sources - see the posting itself for
- >>more details (I assume everyone knows what PGP 2.1 is :-).
- >
- >This intrigues me. I'm not accusing you (Peter) of anything, but consider:
- >
- >How do we know the PGP sources on alt.sources (or even that on any FTP site
- >for that matter) are "safe". What kind of precautions or checks exist to
- >prevent bogus code from cropping up. Why couldn't some intelligence agency
- >get their hands on the code and weaken the encryption algorithm just enough
- >for them and then distribute the modified source to the rest of the world.
-
- Well, if you have an earlier version of PGP that you trust, someone
- can digtially sign the new version and you can trust it if the
- signature corresponds to someone you trust.
-
- Admittedly this does not solve the bootstrap problem, but then again
- nothing does. How do you know that ANYONE is trustworthy? How do you
- know your wife isn't poisoning you, for example?
-
- --
- Perry Metzger pmetzger@shearson.com
- --
- Laissez faire, laissez passer. Le monde va de lui meme.
-
