Xref: gmd.de comp.org.eff.talk:14946 alt.privacy:5887
Newsgroups: comp.org.eff.talk,alt.privacy
Path: gmd.de!newsserver.jvnc.net!howland.reston.ans.net!vixen.cso.uiuc.edu!
cs.uiuc.edu!kadie
From: ka...@cs.uiuc.edu (Carl M Kadie)
Subject: [alt.security.pgp]  ViaCrypt PGP ships today
Message-ID: <CFtKy0.FBK@cs.uiuc.edu>
Followup-To: comp.org.eff.talk,alt.privacy,alt.security.pgp
Organization: University of Illinois, Dept. of Comp. Sci., Urbana, IL
Date: Mon, 1 Nov 1993 15:42:00 GMT
Lines: 72

[A repost - Carl]

Newsgroups: alt.security.pgp
From: hu...@gargoyle.uchicago.edu (Hugh Miller)
Subject:  ViaCrypt PGP ships today
Message-ID: <hugh.752165510@gargoyle>
Date: Mon, 1 Nov 1993 14:51:50 GMT

    ViaCrypt, Inc., will begin shipping ViaCrypt PGP today, 1 November
1993.  ViaCrypt PGP is a commercial public-key encryption package which is 
based on, and virtually identical with, the freeware program known as PGP, 
or `Pretty Good Privacy.' (The source code is in fact identical to that of 
the freeware version 2.3a of PGP, with the exception of the RSA encryption 
module, which is one ViaCrypt developed in-house after acquiring a license 
for the algorithm from PKPartners.  In addition, ViaCrypt incorporates a 
few bug fixes.  The private-key crypto algorithm is IDEA, as in freeware 
PGP, for which ViaCrypt has obtained a license from Ascom-Tech AG of Zurich.)  
ViaCrypt bought its RSA license from PKP before either PKP or ViaCrypt knew
that ViaCrypt would someday use it to sell PGP.  ViaCrypt later acquired 
the rights to sell PGP from Phil Zimmermann.  I don't know what PKP thinks 
of this state of affairs, but ViaCrypt's PKP license clearly allows them
to sell PGP.

    Output is byte-for-byte identical with that of freeware PGP 2.3a, except 
that the `Version' header atop the message body reads "Version: 2.4" 
instead of "Version: 2.3a".  Keys, signature certificates, binary or 
ASCII-armored ciphertexts, produced by one program will be identical to, 
and transparently handled by, the other.  ViaCrypt PGP will (for now) be 
available in the US and Canada only, pending any future relaxation of the 
ITAR export control laws.  Phil Zimmermann says no compromises in the 
cryptographic strength of PGP were made for ViaCrypt's version of PGP.

    The ViaCrypt PGP package include program disks (executables only, no 
source code), user manual, and individual user license.  The current release 
will be for MS-DOS only; ViaCrypt plans to ship a UNIX version soon. 
Introductory price of a single user package is US$100.  (For purchases 
of 20 units or more, a substantial discount -- price drops to about US$41 
per user -- is available.)

    To purchase ViaCrypt PGP or to find out more about it, you can contact
them as follows:

    ViaCrypt
    2104 W. Peoria Ave.
    Phoenix, AZ 85029 USA
    602-944-0773 (Voice)
    602-943-2601 (FAX)
    7030...@compuserve.com (Netmail)

    I have no connection with ViaCrypt, commercial or otherwise.  Indeed, I
disagree in principle with the concept of algorithm patents.  I think, 
though, that the net, and particularly users and admirers of the freeware 
PGP deserve to hear about this.  Because ViaCrypt paid PKP for a 
license, users of ViaCrypt can now utilize PGP with absolutely no fear of 
lawsuit for patent infringement.  Since ViaCrypt will ship only in 
USA/Canada, ITAR violations are not at issue.  This will enable the 
PGP approach, with its decentralized distributed-trust key management, 
to achieve crucial penetration into the corporate marketplace.  
This will speed its acceptance as the de facto email crypto standard, 
as opposed to other centralized or key-escrow schemes, like PEM or Clipper.  
And ViaCrypt PGP will enable U.S. users to communicate completely legally 
with non-U.S. users of PGP 2.3a.

-- 

Hugh Miller       | Asst. Prof. of Philosophy |  Loyola University Chicago
FAX: 312-508-2292 |    Voice: 312-508-2727    |  hmi...@lucpul.it.luc.edu
PGP 2.3A Key fingerprint: FF 67 57 CC 0C 91 12 7D  89 21 C7 12 F7 CF C5 7E

-- 
Carl Kadie -- I do not represent any organization; this is just me.
 = ka...@cs.uiuc.edu =

Xref: gmd.de comp.org.eff.talk:14970 alt.privacy:5909 alt.security.pgp:5886
Newsgroups: comp.org.eff.talk,alt.privacy,alt.security.pgp
Path: gmd.de!xlink.net!howland.reston.ans.net!sol.ctr.columbia.edu!
news.kei.com!ub!galileo.cc.rochester.edu!news
From: g...@math.rochester.edu (Geoffrey T. Falk)
Subject: Re: [alt.security.pgp]  ViaCrypt PGP ships today
Message-ID: <1993Nov1.220854.26455@galileo.cc.rochester.edu>
Sender: ne...@galileo.cc.rochester.edu
Nntp-Posting-Host: gauss.math.rochester.edu
Organization: University of Rochester Computing Center
References: <CFtKy0.FBK@cs.uiuc.edu>
Date: Mon, 1 Nov 93 22:08:54 GMT
Lines: 27

In article <CFtKy...@cs.uiuc.edu> ka...@cs.uiuc.edu (Carl M Kadie) writes:
> [A repost - Carl]
> 
> Newsgroups: alt.security.pgp
> From: hu...@gargoyle.uchicago.edu (Hugh Miller)
> Subject:  ViaCrypt PGP ships today
> Message-ID: <hugh.752165510@gargoyle>
> Date: Mon, 1 Nov 1993 14:51:50 GMT
> 
>     ViaCrypt, Inc., will begin shipping ViaCrypt PGP today, 1 November 1993
..
>  Phil Zimmermann says no compromises in the 
> cryptographic strength of PGP were made for ViaCrypt's version of PGP.
> 
>     The ViaCrypt PGP package include program disks (executables only, no 
> source code), 
..

I trust Phil, but without source code I can go through, I can tell you for a  
fact I won't be using it.

Unless, possibly, there are PGP signatures on the executable, as well as signed  
statements, from Phil and from international PGP developers and users, saying  
that they were permitted to look through the code, watched it being compiled,  
and can vouch for its integrity.

g.

Newsgroups: alt.security.pgp
Path: gmd.de!xlink.net!howland.reston.ans.net!europa.eng.gtefsd.com!
uunet!decwrl!decwrl!pacbell.com!amdahl!netcomsv!netcom.com!gbe
From: g...@netcom.com (Gary Edstrom)
Subject: Re: [alt.security.pgp]  ViaCrypt PGP ships today
Message-ID: <gbeCFu6J4.2tw@netcom.com>
Followup-To: alt.security.pgp
Organization: NETCOM On-line Communication Services (408 241-9760 guest)
X-Newsreader: TIN [version 1.2 PL1]
References: <CFtKy0.FBK@cs.uiuc.edu> 
<1993Nov1.220854.26455@galileo.cc.rochester.edu>
Date: Mon, 1 Nov 1993 23:28:15 GMT
Lines: 8

Short of shipping the source code with the new PGP, is there anyway that
ViaCrypt can let users verify for themselves that there is no trap door
in the software?
-- 
Gary B. Edstrom          | Engineer
Internet: g...@netcom.com | Sequoia Software
CompuServe: 72677,564    | P.O. Box 9573
Fax: 1-818-247-6046      | Glendale, CA 91226

Path: gmd.de!xlink.net!math.fu-berlin.de!news.rrz.uni-hamburg.de!
fbihh.informatik.uni-hamburg.de!bontchev
From: bont...@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Newsgroups: alt.security.pgp
Subject: Re: [alt.security.pgp]  ViaCrypt PGP ships today
Date: 2 Nov 1993 08:50:12 GMT
Organization: University of Hamburg -- Germany
Lines: 19
Message-ID: <2b5704$adb@rzsun02.rrz.uni-hamburg.de>
References: <CFtKy0.FBK@cs.uiuc.edu> 
<1993Nov1.220854.26455@galileo.cc.rochester.edu> <gbeCFu6J4.2tw@netcom.com>
NNTP-Posting-Host: fbihh.informatik.uni-hamburg.de
X-Newsreader: TIN [version 1.2 PL2]

Gary Edstrom (g...@netcom.com) writes:

> Short of shipping the source code with the new PGP, is there anyway that
> ViaCrypt can let users verify for themselves that there is no trap door
> in the software?

Yes, they could include a detached signature of the executable and
this signature must be from Phil Zimmermann. The only problem is that,
in order to verify it, you must already have a trusted version of PGP.
Of course, once ViaCrypt ships a "trusted" first version, all others
can be verified easily.

Regards,
Vesselin
--
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bont...@fbihh.informatik.uni-hamburg.de        22527 Hamburg, Germany

Newsgroups: alt.security.pgp
Path: gmd.de!newsserver.jvnc.net!howland.reston.ans.net!xlink.net!
sol.ctr.columbia.edu!news.kei.com!eff!news.umbc.edu!haven.umd.edu!
darwin.sura.net!spool.mu.edu!umn.edu!csus.edu!netcom.com!gbe
From: g...@netcom.com (Gary Edstrom)
Subject: Re: [alt.security.pgp]  ViaCrypt PGP ships today
Message-ID: <gbeCFvFKp.6uv@netcom.com>
Organization: NETCOM On-line Communication Services (408 241-9760 guest)
X-Newsreader: TIN [version 1.2 PL1]
References: <CFtKy0.FBK@cs.uiuc.edu> 
<1993Nov1.220854.26455@galileo.cc.rochester.edu> 
<gbeCFu6J4.2tw@netcom.com> <2b5704$adb@rzsun02.rrz.uni-hamburg.de>
Date: Tue, 2 Nov 1993 15:41:13 GMT
Lines: 21

Vesselin Bontchev (bont...@fbihh.informatik.uni-hamburg.de) wrote:
: Gary Edstrom (g...@netcom.com) writes:

: > Short of shipping the source code with the new PGP, is there anyway that
: > ViaCrypt can let users verify for themselves that there is no trap door
: > in the software?

: Yes, they could include a detached signature of the executable and
: this signature must be from Phil Zimmermann. The only problem is that,
: in order to verify it, you must already have a trusted version of PGP.
: Of course, once ViaCrypt ships a "trusted" first version, all others
: can be verified easily.

The signature prevents tampering ONLY from outside of ViaCrypt, NOT from
tampering done within ViaCrypt.

-- 
Gary B. Edstrom          | Engineer
Internet: g...@netcom.com | Sequoia Software
CompuServe: 72677,564    | P.O. Box 9573
Fax: 1-818-247-6046      | Glendale, CA 91226

Path: gmd.de!xlink.net!math.fu-berlin.de!news.rrz.uni-hamburg.de!
fbihh.informatik.uni-hamburg.de!bontchev
From: bont...@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Newsgroups: alt.security.pgp
Subject: Re: [alt.security.pgp]  ViaCrypt PGP ships today
Date: 2 Nov 1993 19:31:03 GMT
Organization: University of Hamburg -- Germany
Lines: 24
Message-ID: <2b6chn$lvd@rzsun02.rrz.uni-hamburg.de>
References: <CFtKy0.FBK@cs.uiuc.edu> 
<1993Nov1.220854.26455@galileo.cc.rochester.edu> 
<gbeCFu6J4.2tw@netcom.com> <2b5704$adb@rzsun02.rrz.uni-hamburg.de> 
<gbeCFvFKp.6uv@netcom.com>
NNTP-Posting-Host: fbihh.informatik.uni-hamburg.de
X-Newsreader: TIN [version 1.2 PL2]

Gary Edstrom (g...@netcom.com) writes:

> : Yes, they could include a detached signature of the executable and
> : this signature must be from Phil Zimmermann. The only problem is that,
> : in order to verify it, you must already have a trusted version of PGP.
> : Of course, once ViaCrypt ships a "trusted" first version, all others
> : can be verified easily.

> The signature prevents tampering ONLY from outside of ViaCrypt, NOT from
> tampering done within ViaCrypt.

That's why I said "from Phil Zimmermann". This would mean that Phil
has checked the sources and the fact that they produce exactly this
executable, and guarantees this with his signature. I hope you trust
him not to put any backdoor in PGP, otherwise you wouldn't be using
PGP at all... :-)

Regards,
Vesselin
--
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bont...@fbihh.informatik.uni-hamburg.de        22527 Hamburg, Germany

Newsgroups: alt.security.pgp
Path: gmd.de!xlink.net!howland.reston.ans.net!sol.ctr.columbia.edu!
news.kei.com!ub!galileo.cc.rochester.edu!news
From: g...@math.rochester.edu (Geoffrey T. Falk)
Subject: Re: [alt.security.pgp]  ViaCrypt PGP ships today
Message-ID: <1993Nov2.192055.25547@galileo.cc.rochester.edu>
Sender: ne...@galileo.cc.rochester.edu
Nntp-Posting-Host: gauss.math.rochester.edu
Organization: University of Rochester Computing Center
References: <2b5704$adb@rzsun02.rrz.uni-hamburg.de>
Date: Tue, 2 Nov 93 19:20:55 GMT
Lines: 36

In article <2b5704$a...@rzsun02.rrz.uni-hamburg.de>  
bont...@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes:
> Gary Edstrom (g...@netcom.com) writes:
> 
> > Short of shipping the source code with the new PGP, is there anyway that
> > ViaCrypt can let users verify for themselves that there is no trap door
> > in the software?
> 
> Yes, they could include a detached signature of the executable and
> this signature must be from Phil Zimmermann. The only problem is that,
> in order to verify it, you must already have a trusted version of PGP.
> Of course, once ViaCrypt ships a "trusted" first version, all others
> can be verified easily.
> 
> Regards,
> Vesselin

My last message on this thread seems to have been missed. Let me repeat.

Of course, I would not use ViaCrypt PGP unless the executable is signed.  
Naturally I would prefer to look at the source myself, but to be realistic, it  
would be necessary to compromise.

Therefore I propose to ViaCrypt that they get the executable signed by Phil Z.,  
AND ALSO by a number of other independent people from outside the US. They must  
be permitted by ViaCrypt to look through the source code, and watch it being  
compiled. I would expect signatures from some of the other PGP developers, for  
instance Colin Plumb, Peter Gutmann, Branko Lankester, and also independent  
users who have been with PGP from the beginning and who have participated in  
discussions in this newsgroup. These are all people whom I more or less would  
trust not to have been paid off by ViaCrypt.

I'd volunteer myself, if they can work out the logistics of it all. (BTW. I am  
a Canadian citizen.)

g.

Newsgroups: alt.security.pgp
Path: gmd.de!xlink.net!howland.reston.ans.net!pipex!sunic!kth.se!
news.kth.se!d87-mal
From: d87...@mumrik.nada.kth.se (Mats Löfkvist)
Subject: Re: [alt.security.pgp]  ViaCrypt PGP ships today
In-Reply-To: gtf@math.rochester.edu's message of Tue, 2 Nov 93 19:20:55 GMT
Message-ID: <D87-MAL.93Nov2233246@mumrik.nada.kth.se>
Sender: use...@kth.se
Nntp-Posting-Host: mumrik.nada.kth.se
Organization: Royal Institute of Technology, Stockholm, Sweden
References: <2b5704$adb@rzsun02.rrz.uni-hamburg.de>
	<1993Nov2.192055.25547@galileo.cc.rochester.edu>
Date: Tue, 2 Nov 1993 22:32:46 GMT
Lines: 27

In article <1993Nov2.1...@galileo.cc.rochester.edu> 
g...@math.rochester.edu (Geoffrey T. Falk) writes:

   Therefore I propose to ViaCrypt that they get the executable signed by
   Phil Z., AND ALSO by a number of other independent people from outside
   the US. They must be permitted by ViaCrypt to look through the source code,
   and watch it being compiled. I would expect signatures from some of the
   other PGP developers, for instance Colin Plumb, Peter Gutmann, Branko
   Lankester, and also independent users who have been with PGP from the
   beginning and who have participated in discussions in this newsgroup.
   These are all people whom I more or less would trust not to have been
   paid off by ViaCrypt.

If you don't thrust the ViaCrypt people, having Phil Z. and/or others go to
them and watch them build PGP is far from enough to make sure their exec is ok.
To thrust the binaries built, you have to thrust everything used to build it,
and of course you must be sure the source you had a look at really is what
is being compiled.

This can be solved (e.g. by having the "good people" bring their own hardware
including everything needed for the build except the source itself),
but is it really likely something like this can be arranged?

My guess is that those who buy from ViaCrypt simply have to thrust ViaCrypt.

      _
Mats Lofkvist
d87...@nada.kth.se

Path: gmd.de!xlink.net!math.fu-berlin.de!news.rrz.uni-hamburg.de!
fbihh.informatik.uni-hamburg.de!bontchev
From: bont...@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Newsgroups: alt.security.pgp
Subject: Re: [alt.security.pgp]  ViaCrypt PGP ships today
Date: 3 Nov 1993 08:03:04 GMT
Organization: University of Hamburg -- Germany
Lines: 25
Message-ID: <2b7ojp$614@rzsun02.rrz.uni-hamburg.de>
References: <2b5704$adb@rzsun02.rrz.uni-hamburg.de> 
<D87-MAL.93Nov2233246@mumrik.nada.kth.se>
NNTP-Posting-Host: fbihh.informatik.uni-hamburg.de
X-Newsreader: TIN [version 1.2 PL2]

Mats L�fkvist (d87...@mumrik.nada.kth.se) writes:

> This can be solved (e.g. by having the "good people" bring their own hardwar
> including everything needed for the build except the source itself),
> but is it really likely something like this can be arranged?

First, why "except the source itself"?! As far as I understand, the
product sold by ViaCrypt will be built from sources supplied by Phil.
Second, it's not so difficult to arrange it. Phil sends them the
sources, they specify the compiler they will be using and the
particular options, Phil gets a copy of the same compiler from an
independent source (e.g., buys it from a software shop), compiles the
sources with that compiler and with the specified options, and
compares the result with the code supplied by ViaCrypt. If both
executables match, he issues a detached sig and sends it to ViaCrypt.
They can't forge the sig or the program, because then Phil's sig won't
verify any more...

Regards,
Vesselin
--
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bont...@fbihh.informatik.uni-hamburg.de        22527 Hamburg, Germany

Newsgroups: alt.security.pgp
Path: gmd.de!xlink.net!math.fu-berlin.de!sunmbx.netmbx.de!Germany.EU.net!
mcsun!uunet!spool.mu.edu!umn.edu!rabbit.cccs.umn.edu!RWH
From: R...@CCCS.UMN.EDU (Richard Hoffbeck)
Subject: Re: [alt.security.pgp]  ViaCrypt PGP ships today
Message-ID: <RWH.3.00096F3D@CCCS.UMN.EDU>
Sender: ne...@news2.cis.umn.edu (Usenet News Administration)
Nntp-Posting-Host: rabbit.cccs.umn.edu
Organization: CCCS
X-Newsreader: Trumpet for Windows [Version 1.0 Rev A]
References: <2b5704$adb@rzsun02.rrz.uni-hamburg.de> 
<D87-MAL.93Nov2233246@mumrik.nada.kth.se> 
<2b7ojp$614@rzsun02.rrz.uni-hamburg.de>
Date: Wed, 3 Nov 1993 15:26:00 GMT
Lines: 40

In article <2b7ojp$6...@rzsun02.rrz.uni-hamburg.de> 
bont...@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes:
>From: bont...@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
>Subject: Re: [alt.security.pgp]  ViaCrypt PGP ships today
>Date: 3 Nov 1993 08:03:04 GMT

>Mats L�fkvist (d87...@mumrik.nada.kth.se) writes:

>> This can be solved (e.g. by having the "good people" bring their own hardwar
>> including everything needed for the build except the source itself),
>> but is it really likely something like this can be arranged?

>First, why "except the source itself"?! As far as I understand, the
>product sold by ViaCrypt will be built from sources supplied by Phil.
>Second, it's not so difficult to arrange it. Phil sends them the
>sources, they specify the compiler they will be using and the
>particular options, Phil gets a copy of the same compiler from an
>independent source (e.g., buys it from a software shop), compiles the
>sources with that compiler and with the specified options, and
>compares the result with the code supplied by ViaCrypt. If both
>executables match, he issues a detached sig and sends it to ViaCrypt.
>They can't forge the sig or the program, because then Phil's sig won't
>verify any more...

I have a couple of naive questions, and since the traffic seems to be low these
days I thought I'd take the opportunity:

1. If ViaCrypt produces the same encryption byte for byte as PGP where does
    the concern for a trap door come into play.  Or is the concern that 
    ViaCrypt could be limiting itself to generating a subset of session keys 
    whose characteristics are known to a third party?

2. I noticed that PGP generates keys from numbers that are relatively prime 
   which if memory serves are numbers where neither is a factor of the other 
   but where neither number need be a prime number.  Does this have any 
   interesting implications on the strength of the algorithm?

Thanks!

--rick

Newsgroups: alt.security.pgp
Path: gmd.de!xlink.net!howland.reston.ans.net!spool.mu.edu!umn.edu!
csus.edu!netcom.com!gbe
From: g...@netcom.com (Gary Edstrom)
Subject: Re: [alt.security.pgp]  ViaCrypt PGP ships today
Message-ID: <gbeCFxFu9.My8@netcom.com>
Organization: NETCOM On-line Communication Services (408 241-9760 guest)
X-Newsreader: TIN [version 1.2 PL1]
References: <2b5704$adb@rzsun02.rrz.uni-hamburg.de> 
<D87-MAL.93Nov2233246@mumrik.nada.kth.se> 
<2b7ojp$614@rzsun02.rrz.uni-hamburg.de> <RWH.3.00096F3D@CCCS.UMN.EDU>
Date: Wed, 3 Nov 1993 17:42:08 GMT
Lines: 19

Richard Hoffbeck (R...@CCCS.UMN.EDU) wrote:

: 1. If ViaCrypt produces the same encryption byte for byte as PGP where does
:     the concern for a trap door come into play.  Or is the concern that 
:     ViaCrypt could be limiting itself to generating a subset of session keys 
:     whose characteristics are known to a third party?

This may be OK for the first release of ViaCrypt PGP, but what about
future releases? Who's to say that ViaCrypt PGP and PRZ PGP don't go
their separate ways in the future with different file formats. 
It would then be possible for someone at ViaCrypt to place a trap door
in the software.

Maybe I'm just too paranoid!
-- 
Gary B. Edstrom          | Engineer
Internet: g...@netcom.com | Sequoia Software
CompuServe: 72677,564    | P.O. Box 9573
Fax: 1-818-247-6046      | Glendale, CA 91226

Newsgroups: alt.security.pgp
Path: gmd.de!xlink.net!howland.reston.ans.net!europa.eng.gtefsd.com!
news.umbc.edu!eff!news.kei.com!ub!galileo.cc.rochester.edu!news
From: g...@math.rochester.edu (Geoffrey T. Falk)
Subject: Re: [alt.security.pgp]  ViaCrypt PGP ships today
Message-ID: <1993Nov3.191231.28437@galileo.cc.rochester.edu>
Sender: ne...@galileo.cc.rochester.edu
Nntp-Posting-Host: gauss.math.rochester.edu
Organization: University of Rochester Computing Center
References: <gbeCFxFu9.My8@netcom.com>
Date: Wed, 3 Nov 93 19:12:31 GMT
Lines: 31

> Richard Hoffbeck (R...@CCCS.UMN.EDU) wrote:
>
> 1. If ViaCrypt produces the same encryption byte for byte as PGP where does
>     the concern for a trap door come into play.  Or is the concern that 
>     ViaCrypt could be limiting itself to generating a subset of session
>     keys whose characteristics are known to a third party?

Random number generators are notoriously difficult to screen for such  
tampering. Essentially, you have to be an expert to tell if the space of  
generated keys is small or not.

g...@netcom.com (Gary Edstrom) wrote:
> 
> Maybe I'm just too paranoid!

You can't be too paranoid over such things. We have the tools of authentication  
and verification, so there is no excuse for not using them.

For instance, without accusing anybody, let me suggest the following  
possibility: ViaCrypt is/was under grand jury investigation, and in order to  
lessen their legal worries they made a deal with NSA to weaken PGP's session  
key space. Of course they wouldn't tell us if that was the case, but they also  
wouldn't be able to get Phil's signature on it if he noticed the code in the  
random number generator was different from the original code. That's why we  
NEED verification in cases like this.

[Of course, Phil also is/was under grand jury investigation, which (again,  
without accusing anybody of colluding with NSA) is why I suggested getting  
independent outsiders to examine the code as well.]

g.

Newsgroups: alt.security.pgp
Path: gmd.de!newsserver.jvnc.net!howland.reston.ans.net!
usenet.ins.cwru.edu!agate!headwall.Stanford.EDU!CSD-NewsHost.Stanford.EDU!
Xenon.Stanford.EDU!mogens
From: mog...@Xenon.Stanford.EDU (Christian L. Mogensen)
Subject: Re: [alt.security.pgp]  ViaCrypt PGP ships today
Message-ID: <1993Nov5.232303.13080@CSD-NewsHost.Stanford.EDU>
Sender: ne...@CSD-NewsHost.Stanford.EDU
Organization: Computer Science Department, Stanford University.
References: <gbeCFxFu9.My8@netcom.com> 
<1993Nov3.191231.28437@galileo.cc.rochester.edu>
Date: Fri, 5 Nov 1993 23:23:03 GMT
Lines: 6

> ViaCrypt is/was under grand jury investigation,

Don't joke, someone just told me that ViaCrypt is under indictment by
the Justice dept wrt. export controls...  This news item is a few weeks
old and not substantiated, but I trust his judgement.

Newsgroups: alt.security.pgp
Path: gmd.de!Germany.EU.net!mcsun!uunet!europa.eng.gtefsd.com!
howland.reston.ans.net!vixen.cso.uiuc.edu!uchinews!gargoyle!hugh
From: hu...@gargoyle.uchicago.edu (Hugh Miller)
Subject: Re: [alt.security.pgp] ViaCrypt PGP ships today
Message-ID: <hugh.752651175@gargoyle>
Sender: ne...@uchinews.uchicago.edu (News System)
Organization: University of Chicago -- Academic & Public Computing
References: <gbeCFxFu9.My8@netcom.com> 
<1993Nov3.191231.28437@galileo.cc.rochester.edu> 
<1993Nov5.232303.13080@CSD-NewsHost.Stanford.EDU>
Date: Sun, 7 Nov 1993 05:46:15 GMT
Lines: 77

In <1993Nov5.2...@CSD-NewsHost.Stanford.EDU> 
mog...@Xenon.Stanford.EDU (Christian L. Mogensen) writes:

>> ViaCrypt is/was under grand jury investigation,

>Don't joke, someone just told me that ViaCrypt is under indictment by
>the Justice dept wrt. export controls...  This news item is a few weeks
>old and not substantiated, but I trust his judgement.

No, not under indictment, merely the recipients of subpoenas as part of
the Customs investigation of Phil Zimmermann.  For further info, see the
following, which I posted here several weeks ago.

It is still pertinent.  Give to the Phil Zimmermann defense fund.  As
much and as soon as you can.

----------------------

    As you undoubtedly know, on September 14 LEMCOM Systems (ViaCrypt)
in Phoenix, Arizona was served with a subpoena issued by the US District
Court of Northern California to testify before a grand jury and produce
documents related to "ViaCrypt, PGP, Philip Zimmermann, and anyone or
any entity acting on behalf of Philip Zimmermann for the time period
June 1, 1991 to the present."
    Phil Zimmermann has been explicitly told that he is the primary
target of the investigation being mounted from the San Jose office of
U.S. Customs.  It is not known if there are other targets.  Whether or
not an indictment is returned in this case, the legal bills will be
astronomical.
    If this case comes to trial, it will be one of the most important
cases in recent times dealing with cryptography, effective
communications privacy, and the free flow of information and ideas in
cyberspace in the post-Cold War political order. The stakes are high,
both for those of us who support the idea of effective personal
communications privacy and for Phil, who risks jail for his selfless and
successful effort to bring to birth "cryptography for the masses,"
a.k.a. PGP.  Export controls are being used as a means to curtail
domestic access to effective cryptographic tools: Customs is taking the
position that posting cryptographic code to the Internet is equivalent
to exporting it.  Phil has assumed the burden and risk of being the
first to develop truly effective tools with which we all might secure
our communications against prying eyes, in a political environment
increasingly hostile to such an idea -- an environment in which Clipper
chips and Digital Telephony bills are our own government's answer to our
concerns.  Now is the time for us all to step forward and help shoulder
that burden with him.
    Phil is assembling a legal defense team to prepare for the
possibility of a trial, and he needs your help.  This will be an
expensive affair, and the meter is already ticking. I call on all of us,
both here in the U.S. and abroad, to help defend Phil and perhaps
establish a groundbreaking legal precedent.  A legal trust fund has been
established with Phil's attorney in Boulder.  Donations will be accepted
in any reliable form, check, money order, or wire transfer, and in any
currency.  Here are the details:

    To send a check or money order by mail, make it payable, NOT to Phil
Zimmermann, but to Phil's attorney, Philip Dubois.  Mail the check or
money order to the following address:

    Philip Dubois
    2305 Broadway
    Boulder, CO USA  80304
    (Phone #: 303-444-3885)

    To send a wire transfer, your bank will need the following
information:

    Bank: VectraBank
    Routing #: 107004365
    Account #: 0113830
    Account Name: "Philip L. Dubois, Attorney Trust Account"

    Any funds remaining after the end of legal action will be returned
to named donors in proportion to the size of their donations.

    You may give anonymously or not, but PLEASE - give generously.  If
you admire PGP, what it was intended to do and the ideals which animated
its creation, express your support with a contribution to this fund.