From: nobody@replay.com (Anonymous)
Date: Sat, 18 Jan 1997 14:41:34 -0800 (PST)
To: cypherpunks@toad.com
Subject: Concerned about Pretty Safe Mail for Mac
Message-ID: <199701182241.XAA29079@basement.replay.com>
MIME-Version: 1.0
Content-Type: text/plain


  I'm concerned about the product "Pretty Safe Mail" for the Macintosh,
by a company called Highware. I was wondering whether anyone here had
tried evaluating it at all.

  It is a complete PGP implementation (not a front-end). They claim
to have licensed some of PRZ's code from PGP. However, as far as I
can tell, they are not making any of the source code available.

  As someone on the comp.security.pgp newsgroups pointed out, writing
a wonderful user interface on a PGP trojan horse that either crippled
the session key generator or used the session key to leak random
portions of secret key primes would be a perfect tactic for a
government wishing to penetrate PGP security. With such a great
interface, compared to the original PGP, it can't help but become
widely used.

  I realize that without the source code, it's a major hassle, but
has anyone looked at Pretty Safe Mail (previously called Safemail)
at all for suspicious behavior? For example:

  1) non-random session key generation?
  2) non-random key pair generation?
  3) unnecessary disk access to secret keys?
  4) anything else?

  Any findings, positive or negative, would be appreciated.