I used to feel reasonably safe using PGP 2.6.2. I still use it, but not the unix port whose code I actually looked at and ran some test vectors on. I use ports on non-unix boxes that I have no source for, and on some newer machines I even used (oh, shame) 7.0.3 several times.
So I don't think I'll trust more than, say $10K to this particular encryption. If I ever needed to deal with millions or lives, I'd use OTP on CDs (never forget to take one CD from the pair when you visit faraway friends and associates.) Now that crypto is not sexy any more, and buzzwords have replaced content, I don't think that anyone examines the PGP code any more. When was the last time someone looked at 2.6.2 or any other sources available for download or just checked the signatures ? Just for fun, I downloaded 2.6.2 sources for mac. Signed with key ID 0x0DBF906D. Where do I find whose key is that ? According to MIT server, http://keyserver.linux.it/, http://www.dfn-pca.de/pgpkserv/, it's: 1994/08/27 Jeffrey I. Schiller <[EMAIL PROTECTED]> pgp.com's server is offline. http://www.infran.ru/PGP/pks-commands.html is damaged So 3 servers agree. But the problem is, I do not know who Jeffrey I. Schiller is and should I trust him. And I don't care about any assurances that come from people personally unknown to me via electronic means. And I am not going to examine the code. End of research. So I'll stick to my $10K limit, which essentially means that I treat PGP as an elaborate uuencode that few will bother to uudecode for gain of less than $10k. This is practical security for me of a software package that has been around for decade and that was probably scrutinised more than any other code on the planet. So, if I were to use a stand-alone e-money technology (not maintained/backed by the bank/government, but mathematically secure in itself and therefore equivalent to cash - yes, I know that such does not exist yet) then it would have to get similar exposure as PGP did, be there for several years, and still I would not trust more than few $K to it. Which means that it is highly unlikely that any sizeable portion of my income or expenses will ever be transferred by untracable e-money. ===== end (of original message) Y-a*h*o-o (yes, they scan for this) spam follows: Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/
