1995-08-01 - Re: a hole in PGP

Header Data

From: Matt Blaze <mab@crypto.com>
To: fc@all.net (Dr. Frederick B. Cohen)
Message Hash: bfc452cddd6a1b92ed73a376c3561020ba5232bd611e7985b57491903a63f468
Message ID: <199508010341.XAA27354@crypto.com>
Reply To: <9508010250.AA14743@all.net>
UTC Datetime: 1995-08-01 03:33:43 UTC
Raw Date: Mon, 31 Jul 95 20:33:43 PDT

Raw message

From: Matt Blaze <mab@crypto.com>
Date: Mon, 31 Jul 95 20:33:43 PDT
To: fc@all.net (Dr. Frederick B. Cohen)
Subject: Re: a hole in PGP
In-Reply-To: <9508010250.AA14743@all.net>
Message-ID: <199508010341.XAA27354@crypto.com>
MIME-Version: 1.0
Content-Type: text/plain

>> >Under what analysis do you construe "It cannot be safely assumed" as
>> >"near-defamatory"?
>> Because you seem to be pointing a finger at specific people.  Your
>> recent messages imply (to me, at least) that you think one or more
>> members of the MIT PGP project may have deliberately tampered with
>> some of the PGP code.
>I don't believe I actually said any such thing.  Perhaps you are not
>reading (or I am not writing) carefully enough.  All I think I did was
>ask why I should believe they have not when they or those like them have
>done it before. 

This speaks for itself.  "They or those like them," indeed!


>The fact is, you seem to support the idea that PGP is secure without a
>reasonable basis, and when pushed a bit harder, agree that it probably
>is not secure. 

I never made any claim that PGP is "secure".  Quite the contrary -
I've been complaining about the security implications of PGP's
monolithic structure and complexity since I first saw the code, though
I did state the basis on which I trust it little less than I trust
other software of equal complexity.  Primarily, however, I jumped in
to this discussion to take issue with your unfair implication that
there is reason to suspect deliberate wrongdoing on the part of the
MIT people.  If your remarks are based on some specific information
you know about some person or group, please tell us.  Otherwise, it
would be a shame allow your credibility to taint these people in the
backs of people's minds just for the sake of a casual, throwaway
rhetorical device.  There is no need to raise the specter of an evil
conspiracy to make your point.  It's irrelevant and beneath you, based
on what I've read of your earlier work on viruses.

Feel free to have the last word if you'd like, since we seem to AGREE
that PGP needs more analysis and scrutiny.