1993-08-28 - Re: .Comparing ViaCrypt and freeware.

Header Data

From: bill@twwells.com (T. William Wells)
To: cypherpunks@toad.com
Message Hash: 974b715a48696699c8d4e635ad756b640bfa75563c085cc7c967d7fabfedcd98
Message ID: <CCGF53.1xI@twwells.com>
Reply To: <9308280330.AA24324@toad.com>
UTC Datetime: 1993-08-28 07:12:59 UTC
Raw Date: Sat, 28 Aug 93 00:12:59 PDT

Raw message

From: bill@twwells.com (T. William Wells)
Date: Sat, 28 Aug 93 00:12:59 PDT
To: cypherpunks@toad.com
Subject: Re: .Comparing ViaCrypt and freeware.
In-Reply-To: <9308280330.AA24324@toad.com>
Message-ID: <CCGF53.1xI@twwells.com>
MIME-Version: 1.0
Content-Type: text/plain


In article <9308280330.AA24324@toad.com>,
peter honeyman <honey@citi.umich.edu> wrote:
: i'm impressed.  (honest.)  but the task here isn't to compare viacrypt
: to pgp -- they use different rsa engines -- it's validating that viacrypt
: doesn't have a backdoor.  the diff scheme you describe presupposes that
: this step has been done, but it has not, and i think it would be very,
: very hard to do.

My understanding is that the two pieces of software are very
similar. A full decompile and analysis would be a pain (but
doable and worthwhile, if one is paranoid enough) but I don't
think it's necessary.

My thought is that once one has isolated the differences, those
alone would get scrutinized. One would isolate the rsa engines by
difference, pretty up the code, and then verify that it doesn't
have any backdoors. So long as the two versions are closely
related, the code that has to be understood apart from pgp should
be relatively small and that would make the verification process
much easier.






Thread