I became aware of the post below only indirectly. I'll comment.
=====================8<===================
At 5:30 PM -0800 11/22/97, David Sternlight wrote:
And while you're introducing gratuitous issues unrelated to the
discussion,
why did PGP disable RSA key generation in Free PGP 5.0, and remove RSA
compatibility completely from Free PGP 5.5
Very simple. How can we with good conscience allow users to generate
keys
which we don't feel meet our security standards? We can't. Case
closed.
This is a bogus explanation for two reasons:
1. PGP Inc. disabled RSA key generation in free PGP 5.0 but kept it in most
versions of pay PGP 5.0.
2. Their "explanation" wasn't about RSA keys but the MD5 algorithm (see
below). Yet :
a. MD5 is a hash function not an encryption algorithm.
b. There have been no practical cases of signature spoofing with MD5--it
hasn't been broken.
c. The concern is mostly theoretical and remote. Even if one could generate
a spurious message with the same hash as a real one, the spurious messages
would overwhelmingly likely be gibberish.
d. No general method has been shown which generates a hashed message with
spurious but substantive motivated content having the same hash as a
particular "real" message.
e. The alternatives PGP 'likes" simply have a larger hash space but the
same weakness. If a general solution to faking hashes is found the "new"
hashes PGP uses would be just as vulnerable as MD5. Absent a general
solution, chances of a motivated and genuine-seeming message having the
same hash as the one being spoofed are essentially nil for MD5 as for
longer substitutes.
f. Moving to a new, longer hash function is about of the same class as
moving from a 1024 to a 2048 bit key--theoretically more secure but not, in
general, practically so. There is plenty of time to do so in an
evolutionary way without vitiating existing keys, existing signatures, and
the existing web of trust, as PGP Inc. has so vitiated with Free PGP 5.52.
c. PGP Inc. has made no attempt to remove MD5 in pay PGP 5.0
In short, PGP Inc. has taken the weakest and most vulnerable sector--the
free users, and shoved it to them in an authoritarian "big brother" way.
(Ironic, that, given many PGP' staffers' and the founder's ideological
pretensions). Since that is the "huge" RSA-key user base (check the MIT and
linked international servers) PGP is waving around to justify itself both
in press releases and to the IETF, a more egregious case of biting the hand
that indirectly feeds one is hard to imagine.
If you're unfamiliar with why RSA keys are not as secure as we'd like,
you
should check archives of the newsgroups for the past few years. The
weaknesses of MD5
MD5 is not "RSA keys". RSA keys have not been shown in any way to be
insecure any more than other keys of comparable length. The author purports
to be a PGP expert. Not a very impressive demonstration of expertise.
and the KeyID attacks were the two primary security
issues we felt absolutely had to be addressed in 5.0.
But they weren't by dropping RSA. Pay PGP 5.0 still has RSA in most
versions.
The development
team
couldn't have cared less about RSA licensing issues. The only issue
was
security.
Nonsense.Free PGP 5.0 still has RSA encryption and decryption. Only key
generation has been disabled. Pay PGP 5.0 (most versions) have RSA key
generation as well. This is a bogus explanation.
Fixing those required a new key format. As long as we were
changing the key format, we decided to switch to unencumbered
algorithms
at
the same time since the hit was the same either way -- everyone would
need
new keys.
Then why didn't you drop RSA encryption and decryption in Free PGP, and RSA
key generation as well in pay PGP.? And it's a lot more than screwing users
by making them get new keys. The free user base on which PGP made its
reputation is now forced to get new signatures and reconstruct the entire
web of trust as well with Free PGP 5.52, which contains no RSA. Brave talk,
but if you had any integrity you would have explained any concerns and left
it up to users by preserving all options--not crammed it down the free
user's throats.
This is especially underhanded-seeming since Free PGP 5.0 uses RSAREF,
which can generate RSA keys, carries no fees, and is not in legal dispute
as between PGP Inc. and RSADSI.
If a particular user doesn't mind the security issues with
RSA
keys, they should feel free to continue using them although the number
of
versions supporting those keys available from us will undoubtedly
continue
to dwindle, and at the same time the number of versions and platforms
supporting DH/DSS keys will continue to grow dramatically.
Pretty evasive and doesn't resolve the blatant contradictions in the above.
-Will
Will Price, Architect/Sr. Mgr.
Pretty Good Privacy, Inc.
David Sternlight, Ph.D.
smime.p7s
Description: S/MIME Cryptographic Signature