> third party -- your mailserver administrator
The "third party" you don't trust is your own sysadmin. That person already has
access to the plain text messages right now. So does everyone tapping your
connections. We suggest that you limit that risk to the sysadmin you already
trust.
> telling people that your product will keep their communications secure
Yes, we are. We suggest that GPG crypto is more secure than no crypto, and
better when it works for everyone in the group.
Experts can still encrypt their own messages. That approach has had 20 years to
work. Most people still don't encrypt mail at all.
Good encryption that is used is much better than encryption only used by an
elite.
> Made false claims that DSA is compromised
I said "was certainly compromised in the past". As you know, one source for DSA
flaws is the current ssh-keygen man page:
"DSA keys must be exactly 1024 bits as specified by FIPS 186-2."
You apparently feel there is some explanation for "exactly 1024 bits" other
than the obvious one, that keys of that length are compromised. NIST changed
this spec later, but always kept DSA.
If you want another source, NSA themselves consider DSA, specifically ECDSA, to
be only Grade B security. With their usual misdirection, NSA calls it "Suite
B". Red Hat explicitly says the NSA's Suite B is only good enough for "most"
classified information. See
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/6.5_Release_Notes/bh-chap-security.html
> Made false claims that NIST . . .
NIST has often changed specs as each compromise is discovered. Examples are
DES, DSA, and Elliptic Curve. A very recent discussion is from "Keeping Secrets
-- STANFORD magazine"
(https://medium.com/stanford-select/keeping-secrets-84a7697bf89f):
"The agency has a second tactic to prevent the spread of cryptographic
techniques: keeping high-grade cryptography out of the national standards. To
make it easier for different commercial computer systems to interoperate, the
National Bureau of Standards (now called NIST) coordinates a semipublic process
to design standard cryptographic algorithms. ... The NSA's influence over the
standards process has been particularly effective at mitigating what it
perceived as the risks of nongovernmental cryptography. By keeping certain
cryptosystems out of the NBS/NIST standards, the NSA facilitated its mission of
eavesdropping on communications traffic."
I suggest you are more careful about your accuracy before you make accusations
of false claims, or use the nasty slur "snake oil".
GoodCrypto warning: Anyone could have read this message. Use encryption, it
works.
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
