From: danisch@ira.uka.de (Hadmut Danisch)
Date: Tue, 1 Aug 95 04:25:29 PDT
To: cypherpunks@toad.com
Subject: Re: a hole in PGP
Message-ID: <9508011120.AA11301@elysion.iaks.ira.uka.de>
MIME-Version: 1.0
Content-Type: text/plain


> 	Clever back doors are not accomplished by an obvious program
> change, but rather by the subtle use of some technique that appears to
> do one thing when it actually does something else.  As a good example, a
> subtle interation with the rest of the environment could modify the key
> generation algorithm after it is loaded.  Unfortunately, PGP is too
> large to verify against such back doors, so I ask again:
> 
> 	Why (specifically) do you think the MIT version of PGP has no
> backdoors and is not subject to attacks such as the one outlined in my
> previous posting?


This is a good question. 

Subtle backdoors hidden in such a program may be difficult to find out.
It might be more effective to use the PGP file format, to understand
pgp as a reference implementation, and to write you own pgp compatible
program where you can generate your keys etc. in the way you prefer.

Hadmut